github-screenshots

Pass

Audited by Gen Agent Trust Hub on Jun 25, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The capture.sh script executes a dynamically generated Node.js script to control the browser automation process.
  • Evidence: The script creates a temporary JavaScript file populated with user-provided parameters (URL, CSS selectors, etc.) and runs it with node.
  • Mitigation: The skill uses a robust encoding method (JSON.stringify via Node) to sanitize all shell variables before they are embedded into the JavaScript template, effectively preventing command injection into the JS execution context.
  • [DATA_EXFILTRATION]: The skill reads from a local configuration file to obtain the bucket name and credentials required for the upload process.
  • Evidence: upload.sh accesses ~/.config/buildinternet/config to retrieve GH_SCREENSHOTS_BUCKET and Cloudflare API tokens.
  • Context: This access is limited to the skill's own namespace and is the intended mechanism for the user to provide authentication for their own Cloudflare account.
  • [EXTERNAL_DOWNLOADS]: The skill relies on well-known external developer tools and browser binaries.
  • Evidence: The documentation and scripts reference npx playwright install chromium and the wrangler CLI.
  • Context: These are reputable tools from trusted organizations (Microsoft and Cloudflare) and are used for their documented purposes.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 25, 2026, 07:59 PM
Security Audit — agent-trust-hub — github-screenshots