Skills
skills/edwinhu/workflows/visual-mockup/Gen Agent Trust Hub

visual-mockup

Pass

Audited by Gen Agent Trust Hub on Mar 17, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill exhibits a vulnerability surface for indirect prompt injection via the diagram's metadata and labels. The script interactive_mockup.py performs a simple string replacement to embed a JSON-encoded object into a <script> block in an HTML template. Because json.dumps does not escape HTML tags like </script>, an attacker can provide a diagram description that breaks out of the script context and executes arbitrary JavaScript (XSS).
  • Ingestion points: Untrusted user data from the conversation (node names, labels, titles) is processed and written to /tmp/layout.json in SKILL.md.
  • Boundary markers: Absent. The instructions do not define delimiters or provide warnings to the agent about ignoring embedded instructions in the data.
  • Capability inventory: The skill uses subprocess.run(['open', ...]) in interactive_mockup.py and the open command in SKILL.md to launch a browser.
  • Sanitization: The skill lacks sanitization of HTML-sensitive sequences within the JSON data injected into the HTML mockup.
  • [COMMAND_EXECUTION]: The skill relies on executing system commands (python3, open) and uses predictable temporary file paths such as /tmp/layout.json, /tmp/mockup.html, and /tmp/visual-mockup.png. Using fixed paths in shared directories is a security weakness that can lead to file manipulation or race conditions in multi-user environments.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 17, 2026, 02:35 AM