validating-slds

Pass

Audited by Gen Agent Trust Hub on Jun 12, 2026

Risk Level: SAFE
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill uses npx to run the @salesforce-ux/slds-linter tool from the official Salesforce UX repository. This is a standard practice for utilizing the latest version of the SLDS linter and originates from a well-known service associated with the vendor.
  • [COMMAND_EXECUTION]: The skill executes a local Node.js script (scripts/analyze-quality.cjs) to perform supplementary checks on component files. The script is restricted to reading and analyzing file contents within the provided component path and does not perform any dangerous system operations.
  • [DATA_EXFILTRATION]: The skill accesses local .css, .html, and .js files for analysis. This data access is essential for its primary function as a code auditing tool and no evidence of unauthorized network transmission or exfiltration of sensitive information was found.
  • [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface because it ingests and processes content from untrusted external component files.
  • Ingestion points: Reads code and comments from user-provided LWC files via fs.readFileSync in scripts/analyze-quality.cjs.
  • Boundary markers: None explicitly used to wrap the component content before agent review, though the script provides structured JSON results.
  • Capability inventory: Limited to file reading and executing the linter via shell.
  • Sanitization: None detected for the component source code, but the risk is low given the analytical nature of the skill.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 12, 2026, 07:49 PM
Security Audit — agent-trust-hub — validating-slds