eliteforge-brainstorming
Pass
Audited by Gen Agent Trust Hub on Jun 24, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes shell scripts (
start-server.sh,stop-server.sh) to manage a local Node.js server. These scripts use built-in shell commands and do not download or execute external untrusted code.\n- [DYNAMIC_EXECUTION]: A custom Node.js server (server.cjs) serves HTML fragments and mockups generated during the session. It injects a helper script (helper.js) into served pages to facilitate WebSocket communication for user interaction. This behavior is transparently implemented with provided source code.\n- [INDIRECT_PROMPT_INJECTION]: The skill consumes interaction data from a browser component, creating a potential surface for indirect injection if rendered content is malicious.\n - Ingestion points: User interaction events are read from the
state/eventsfile in the session directory.\n - Boundary markers: The events are formatted as JSON objects per line; no additional semantic boundaries are enforced.\n
- Capability inventory: The skill manages local server processes and performs file system operations (reads and writes).\n
- Sanitization: The server validates WebSocket messages as JSON but does not sanitize the
textorchoicefields before recording them.
Audit Metadata