vtable-development-assistant
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill's HTML templates (
template/demo.html,template/diagnosis.html) fetch the @visactor/vtable, @visactor/vchart, and monaco-editor libraries from cdn.jsdelivr.net, which is a well-known and reputable content delivery network. - [COMMAND_EXECUTION]: The skill utilizes Python scripts (
scripts/generate_demo_html.py,scripts/generate_diagnosis_html.py) to automate the generation of HTML reports. These scripts perform basic string substitution to embed user-defined configurations into predefined templates. - [REMOTE_CODE_EXECUTION]: The generated HTML demo pages use new Function() and eval-like patterns to execute the VTable configuration code written by the user or agent. This dynamic execution is local to the user's browser environment and is the intended mechanism for the interactive 'Demo' and 'Diagnosis' features.
- [PROMPT_INJECTION]: The skill processes code provided in spec.js and config.js (ingestion points), which is then executed in a generated HTML context. While this lacks strict boundary markers for embedded instructions, it includes basic sanitization via escape_js_string in the generation scripts. This capability (browser-side JS execution) is restricted to the demo environment and aligns with the tool's primary purpose as a development playground.
Audit Metadata