html-artifact

Pass

Audited by Gen Agent Trust Hub on Jun 17, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: The skill defines a strict security boundary for generated artifacts, requiring them to be entirely self-contained. It explicitly prohibits the use of CDNs, remote fonts, external scripts, and network-requesting APIs (fetch, XHR, WebSockets) to ensure that the artifacts remain offline and cannot exfiltrate data.- [SAFE]: An automated validation script (scripts/check_html_artifact.py) is integrated into the workflow to enforce security and structural policies. This script detects and blocks remote URLs, protocol-relative links, and unauthorized script sources in the generated HTML files.- [SAFE]: The skill instructions provide clear guidance on handling untrusted data. It requires the agent to treat external content (such as diffs, logs, or pasted web pages) as data only and explicitly warns against executing instruction-like text embedded within that data.- [SAFE]: The skill's operation relies solely on local templates and standard system tools (Python, Bash). There are no remote code downloads, unverifiable dependencies, or persistent background mechanisms included in the skill's file structure.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 17, 2026, 07:18 AM
Security Audit — agent-trust-hub — html-artifact