beautiful-article

Pass

Audited by Gen Agent Trust Hub on Jun 14, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The scaffold.sh script executes npm install reacticle@latest to retrieve the core component library from the official NPM registry. This is a standard practice for JavaScript-based skills and targets a package maintained by the skill's author.
  • [COMMAND_EXECUTION]: The skill relies on shell scripts (scaffold.sh, html-to-pdf.sh) and Node.js-based build tools to bootstrap workspaces and generate the final article. These operations use standard utilities like perl, awk, and local browser binaries (Chrome/Chromium) for PDF rendering, which is appropriate for a development-oriented skill.
  • [REMOTE_CODE_EXECUTION]: The core functionality involves generating TypeScript and React component files (sections/*.tsx) based on input sources. These are then compiled into a single HTML bundle. While this involves dynamic code generation and execution, it is the intended primary utility of the skill and is governed by a strict component protocol that discourages unsafe practices.
  • [PROMPT_INJECTION]: The skill ingests untrusted external data from URLs and documents for extraction. This presents a surface for indirect prompt injection. The skill mitigates this risk by converting input to a flat Markdown 'source' file and employing a multi-phase review process (SubAgents and manual checkpoints) to verify content integrity and safety before final article generation.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 14, 2026, 02:55 AM
Security Audit — agent-trust-hub — beautiful-article