distill
Pass
Audited by Gen Agent Trust Hub on Jun 14, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface because it extracts verbatim text (headlines, paragraphs, CTAs, and navigation labels) from untrusted external sources (static files and live URLs) and incorporates them into a narrative brief (SAMPLES.md) used by downstream agent skills. There is no explicit sanitization or use of robust boundary markers to prevent malicious text within a sample site from influencing the AI's behavior when it later reads the generated brief.
- Ingestion points: Local files in
samples/static/and external websites listed insamples/live/urls.json. - Boundary markers: The
SAMPLES.mdformat utilizes standard Markdown headers and tables but does not define specific delimiters or instructions to ignore potential commands embedded in the extracted content. - Capability inventory: The skill performs file system write operations (
SAMPLES.md,trait-matrix.json,state.json) and network fetching. - Sanitization: The skill captures verbatim text from the DOM without documented filtering or escaping.
- [EXTERNAL_DOWNLOADS]: The skill uses Playwright to fetch and render live websites specified by the user. This involves standard network operations to download HTML content and associated assets for analysis.
- [COMMAND_EXECUTION]: The skill executes
npx playwrightto perform browser-based rendering and style extraction. This is a legitimate use of a technology tool required for the skill's stated purpose of analyzing website designs.
Audit Metadata