Skills
skills/xtone/ai_development_tools/implementing-hotwire-admin/Gen Agent Trust Hub

implementing-hotwire-admin

Warn

Audited by Gen Agent Trust Hub on Mar 1, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The Stimulus controllers in steps/05_stimulus_controllers.md use innerHTML to render values passed from the DOM. confirm_dialog_controller.js injects titleValue and messageValue, and file_preview_controller.js injects file.name. This creates a vulnerability where malicious user input could execute arbitrary JavaScript in the browser.
  • [EXTERNAL_DOWNLOADS]: The skill facilitates the setup of a testing environment by downloading browser binaries. steps/07_e2e_test_implementation.md provides instructions for npx playwright install chromium --with-deps, which fetches components from a well-known service.
  • [COMMAND_EXECUTION]: Standard development commands are used for environment setup and testing. For instance, steps/01_setup_and_routing.md uses rails generate controller and steps/07_e2e_test_implementation.md uses bundle exec rspec.
  • [CREDENTIALS_UNSAFE]: Default credentials are included in example configurations. steps/07_e2e_test_implementation.md provides a GitHub Actions workflow with POSTGRES_PASSWORD: postgres.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 1, 2026, 10:42 PM