skill-visualizer
Warn
Audited by Gen Agent Trust Hub on May 7, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script automatically launches the generated HTML file in the default system browser using the
webbrowser.open()function upon completion of the generation process. - [DATA_EXFILTRATION]: The tool performs broad discovery and read operations on the local filesystem, scanning the user's home directory (
~/.agents/skills/) and the current workspace (./.agents/skills/). It reads the contents ofSKILL.md, scripts, and reference files, which are then bundled into the output HTML. - [REMOTE_CODE_EXECUTION]: The skill generates a self-contained HTML/JavaScript application at runtime. This process incorporates untrusted data from the filesystem into the executable dashboard. Due to flaws in the custom markdown parser, this creates a path where malicious file content can result in arbitrary JavaScript execution (XSS) when the dashboard is viewed in a browser.
- [PROMPT_INJECTION]: The tool possesses a significant indirect injection surface due to the way it processes and renders external skill data.
- Ingestion points: Content is ingested from
SKILL.mdand script files located in the.agents/skillsdirectories. - Boundary markers: No security boundaries or instructions to ignore embedded code are implemented between the tool's interface logic and the data it displays.
- Capability inventory: The skill has the ability to read local files and trigger the system's default browser.
- Sanitization: Sanitization is insufficient. The
md_to_htmlfunction preserves raw HTML blocks and permitsjavascript:URIs in markdown links. Because the dashboard renders this content usinginnerHTML, a malicious skill can execute code in the context of the local dashboard application.
Audit Metadata