mcp-visual-output
Pass
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill defines a framework for AI-generated visual interfaces (GenUI) that uses a structured JSON specification rather than raw HTML, reducing the risk of XSS injections.
- [SAFE]: The skill includes a dedicated security rule (rules/sandbox-csp.md) that explicitly warns against overly permissive configurations like wildcard domains or 'unsafe-inline' scripts, and teaches developers how to implement a 'minimal privilege' CSP.
- [SAFE]: All external package references (@json-render/mcp, @json-render/core) and repository links (github.com/nichochar/json-render) are standard development resources consistent with the skill's purpose and do not involve suspicious execution patterns.
- [SAFE]: The skill uses a sandboxed iframe architecture for rendering, which is a standard security boundary for AI-generated UI components.
Audit Metadata