visual-qa
Pass
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted external data in the form of UI screenshots and terminal captures, which are then interpolated into subagent prompts for analysis. \n
- Ingestion points: UI captures are read via
readFileSyncinscripts/cli.tsand provided to oracle agents in Step 3 ofSKILL.md.\n - Boundary markers: The prompt templates for Pass A and Pass B lack explicit boundary markers or instructions to disregard potential instructions embedded within the captures.\n
- Capability inventory: The skill can spawn subagents using the
tasktool and execute local shell commands viabun.\n - Sanitization: There is no evidence of data sanitization or escaping of the ingested UI content before it is added to the prompt context.\n- [EXTERNAL_DOWNLOADS]: The skill instructions recommend installing
agent-browserfrom the Vercel Labs GitHub repository. This involves downloading a managed browser environment from a well-known and trusted organization.
Audit Metadata