render
Pass
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes
subprocessandspawnto manage the viewer server, snapshot CLI, and robot state seeder. All command arguments derived from external input are either strictly normalized (e.g., joint values validated as finite numbers) or treated as opaque data within sanitized JSON payloads, preventing command injection. - [DATA_EXFILTRATION]: Path validation logic using
path.resolveandposixpath.normpathis consistently applied across the Vite development server and the headless render worker. These checks, combined with explicit verification that requested paths reside within the authorized workspace root, effectively mitigate directory traversal and unauthorized file access. - [REMOTE_CODE_EXECUTION]: Dynamic imports are used for environment verification and modular loading of Three.js components. These imports are restricted to hardcoded, trusted module names or managed through the platform's module system, and no mechanism exists for executing arbitrary remote code or user-provided scripts.
- [EXTERNAL_DOWNLOADS]: The skill manages its operating environment through standard package managers (
npm,conda). These downloads are limited to recognized registries and are necessary for the core functionality of 3D rendering and motion planning integration.
Audit Metadata