visual-explainer
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches several well-known visualization and animation libraries from the JSDelivr CDN (cdn.jsdelivr.net), including Mermaid.js for diagramming, Chart.js for data visualization, and Anime.js for orchestrated animations. It also retrieves typography resources from Google Fonts. These are well-known technology services used for their intended purposes.
- [COMMAND_EXECUTION]: To display the generated HTML explainers, the skill employs standard platform-specific commands such as 'open' (macOS) or 'xdg-open' (Linux). This execution is restricted to launching the local file created by the agent in the user's default browser.
- [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface as it ingests untrusted user data to populate HTML templates. While the skill focuses on technical visualization, it lacks explicit sanitization logic for user-provided strings within the generated HTML. However, since the output is a static file viewed locally by the user, the risk is minimal and consistent with the primary purpose of the skill.
Audit Metadata