Skills
skills/yonatangross/skillforge-claude-plugin/json-render-catalog/Gen Agent Trust Hub

json-render-catalog

Fail

Audited by Gen Agent Trust Hub on Apr 8, 2026

Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
  • [METADATA_POISONING]: The skill makes unverifiable and likely false claims regarding its origin and popularity. It identifies as a 'Vercel Labs' project with '12.9K stars' in the SKILL.md file, but the provided documentation links point to a personal repository ('nicholasgriffintn/json-render') that does not reflect these metrics or affiliation. This brand impersonation is a technique used to deceive the agent and user into trusting the skill's safety and quality.
  • [DATA_EXFILTRATION]: The specification format described in rules/action-state.md and references/spec-format.md defines 'submit' and 'load_data' actions. These primitives allow the UI specification to trigger POST/PUT and GET requests to arbitrary URLs. If the agent processes a specification from an untrusted or adversarial source, these actions could be abused to exfiltrate sensitive application state (referenced via '$ref' pointers) to an attacker-controlled endpoint.
  • [UNVERIFIABLE_DEPENDENCIES_AND_REMOTE_CODE_EXECUTION]: The skill references a large ecosystem of '@json-render' packages in references/package-ecosystem.md and recommends their installation. These packages are not associated with a trusted vendor and their safety cannot be verified within the context of the skill. Recommending unvetted third-party dependencies increases the supply chain risk for the integrating application.
  • [INDIRECT_PROMPT_INJECTION]: The skill architecture is susceptible to indirect injection because it is designed to process flat-tree specifications ('specs') as its primary input, which may originate from untrusted sources.
  • Ingestion points: The 'spec' data object processed by the 'Render' component in SKILL.md and references/spec-format.md.
  • Boundary markers: The documentation advocates for Zod-typed catalogs as a safety boundary, but the efficacy depends on the strictness of the developer's schema implementation.
  • Capability inventory: The 'on' and 'watch' fields provide high-impact capabilities, including network access and state synchronization, to the data being processed.
  • Sanitization: The skill lacks built-in sanitization instructions, relying entirely on the catalog's property constraints to prevent malicious behavior.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 8, 2026, 11:41 PM