github-screenshots
Pass
Audited by Gen Agent Trust Hub on Jun 25, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The
capture.shscript executes a dynamically generated Node.js script to control the browser automation process. - Evidence: The script creates a temporary JavaScript file populated with user-provided parameters (URL, CSS selectors, etc.) and runs it with
node. - Mitigation: The skill uses a robust encoding method (
JSON.stringifyvia Node) to sanitize all shell variables before they are embedded into the JavaScript template, effectively preventing command injection into the JS execution context. - [DATA_EXFILTRATION]: The skill reads from a local configuration file to obtain the bucket name and credentials required for the upload process.
- Evidence:
upload.shaccesses~/.config/buildinternet/configto retrieveGH_SCREENSHOTS_BUCKETand Cloudflare API tokens. - Context: This access is limited to the skill's own namespace and is the intended mechanism for the user to provide authentication for their own Cloudflare account.
- [EXTERNAL_DOWNLOADS]: The skill relies on well-known external developer tools and browser binaries.
- Evidence: The documentation and scripts reference
npx playwright install chromiumand thewranglerCLI. - Context: These are reputable tools from trusted organizations (Microsoft and Cloudflare) and are used for their documented purposes.
Audit Metadata