create-apple-notes-mockup

Pass

Audited by Gen Agent Trust Hub on Jul 2, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill documentation instructs the user to download and install the Chromium browser via Playwright as part of the initial setup.
  • Evidence: SKILL.md Setup section and playwright dependency in package.json.
  • [DATA_EXFILTRATION]: The render.js script provides a mechanism to read local files and embed their contents as data URIs within the generated HTML, based on paths provided in the input JSON.
  • Evidence: render.js lines 50-63 resolve and read files specified in the body.src field of the note specification. This capability could be leveraged to access files outside the skill's directory if the agent is provided with malicious paths.
  • [PROMPT_INJECTION]: The skill is subject to indirect prompt injection risks, as it processes untrusted JSON data that directs its file-reading and rendering behavior.
  • Ingestion points: The --note parameter in render.js accepts user-supplied JSON files (e.g., examples/mid.json).
  • Boundary markers: Absent; the tool does not use specific markers or instructions to distinguish between trusted and untrusted content within the JSON spec.
  • Capability inventory: Includes local file reading (fs.readFileSync), filesystem writing (fs.writeFileSync), and automated browser control through Playwright (screenshot.js).
  • Sanitization: Employs HTML entity escaping for text rendering in generate.js (escapeHtml function), but lacks validation or path-restriction (such as a whitelist or jail) for file assets, which could allow for directory traversal.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 2, 2026, 06:18 AM
Security Audit — agent-trust-hub — create-apple-notes-mockup