d3-viz
Pass
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill documentation references the official D3.js library hosted on d3js.org and provides an installation command in the metadata that downloads the skill content from a GitHub repository. These references involve well-known, established services and align with the skill's functional requirements.
- [PROMPT_INJECTION]: Code patterns for creating interactive tooltips in SKILL.md utilize the
.html()method to render data-driven content. This represents an indirect prompt injection surface where maliciously crafted input data could potentially execute unintended scripts within the visualization's document context. - Ingestion points: Data properties (e.g., d.label, d.value) processed by visualization scripts in SKILL.md.
- Boundary markers: None present in the provided templates.
- Capability inventory: Document Object Model (DOM) and SVG manipulation capabilities via D3.js.
- Sanitization: The provided examples do not demonstrate explicit sanitization of data before rendering it as HTML.
Audit Metadata