svg-assembly-animator
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill accepts SVG files as input and interpolates them directly into an HTML template (
assets/animation_template.html) for animation and rendering. This ingestion of untrusted data without sanitization could lead to indirect prompt injection or cross-site scripting (XSS) if the SVG contains malicious scripts. - Ingestion points: SVG content is inserted into the container div of the HTML template.
- Boundary markers: None identified.
- Capability inventory: Browser-side execution restricted to the DOM and canvas; no filesystem or network-level capabilities.
- Sanitization: No sanitization or filtering of the SVG content is performed before insertion.
- [EXTERNAL_DOWNLOADS]: Fetches the GSAP (GreenSock) and JSZip libraries from Cloudflare's public CDN to enable motion graphics and frame-sequence export functionality.
Audit Metadata