SVG Animation Builder
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the use of the npx package runner to download and execute components from the author's repository. It also generates HTML files that load the GSAP animation library from a Content Delivery Network (CDN) for runtime execution.
- [COMMAND_EXECUTION]: Employs Puppeteer, a browser automation tool, to capture frames for GIF conversion, which involves executing browser-level commands and file system operations.
- [PROMPT_INJECTION]: The skill's core functionality of programmatically building SVG elements and GSAP timelines from input data creates a surface for indirect prompt injection. If an agent processes untrusted external content to generate these animations, it could lead to the inclusion of malicious logic in the rendered output.
- Ingestion points: Data utilized to define SVG path attributes and animation timeline parameters.
- Boundary markers: No delimiters or specific instructions are identified to separate user data from the generated animation code.
- Capability inventory: Local file writing (HTML/SVG) and execution of browser automation tools for rendering.
- Sanitization: No explicit validation or sanitization mechanisms are documented for the input data before it is interpolated into code structures.
Audit Metadata