validating-slds
Pass
Audited by Gen Agent Trust Hub on Jun 12, 2026
Risk Level: SAFE
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill uses
npxto run the@salesforce-ux/slds-lintertool from the official Salesforce UX repository. This is a standard practice for utilizing the latest version of the SLDS linter and originates from a well-known service associated with the vendor. - [COMMAND_EXECUTION]: The skill executes a local Node.js script (
scripts/analyze-quality.cjs) to perform supplementary checks on component files. The script is restricted to reading and analyzing file contents within the provided component path and does not perform any dangerous system operations. - [DATA_EXFILTRATION]: The skill accesses local
.css,.html, and.jsfiles for analysis. This data access is essential for its primary function as a code auditing tool and no evidence of unauthorized network transmission or exfiltration of sensitive information was found. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface because it ingests and processes content from untrusted external component files.
- Ingestion points: Reads code and comments from user-provided LWC files via
fs.readFileSyncinscripts/analyze-quality.cjs. - Boundary markers: None explicitly used to wrap the component content before agent review, though the script provides structured JSON results.
- Capability inventory: Limited to file reading and executing the linter via shell.
- Sanitization: None detected for the component source code, but the risk is low given the analytical nature of the skill.
Audit Metadata