a2ui-embed
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to render arbitrary HTML and JavaScript provided by the agent into a UI component.
- Ingestion points: The agent writes content directly to
a2ui_input.loginSKILL.mdStep 3. - Boundary markers: Uses
<!-- A2UI:START -->markers, but these are functional for the parser and do not provide security isolation for the content. - Capability inventory: The skill allows writing to local log files and starting a Python-based WebSocket server (
a2ui_sidecar.py). - Sanitization: None. The instructions explicitly tell the agent to include
<script>tags and suggest dangerous iframe sandbox parameters likeallow-same-originandallow-scripts, which can lead to UI-level exploitation if the agent processes malicious external content. - Command Execution (HIGH): The skill requires the agent to execute shell commands to manage background processes and interact with local configuration files.
- Evidence: Instructions include
python3 .../a2ui_sidecar.py &,ss -tlnp, andcat .../projects.json. - Risk: If an attacker can influence the paths or terminal IDs via prompt injection, they could potentially manipulate which scripts are executed or gain insights into the system's network state.
- Data Exposure (MEDIUM): The skill accesses sensitive local configuration files and specific user directories.
- Evidence: Accesses
/home/yousuf/GoogleDrive/PROJECTS/.triclaude/projects.jsonto extract terminal IDs and ports. - Risk: Unauthorized access to internal project metadata and terminal session information.
Recommendations
- AI detected serious security threats
Audit Metadata