hyperframes-creative
Pass
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes system commands to process media and manage its environment.
scripts/extract-audio-data.pyinvokes theffmpegutility to extract frequency bands from audio or video files, andscripts/package-loader.mjsusesnpmto facilitate the installation of necessary helper packages. - [UNVERIFIABLE_DEPENDENCIES_AND_REMOTE_CODE_EXECUTION]: The skill fetches external resources from well-known technology services.
scripts/package-loader.mjsdownloads Node.js dependencies (such as@hyperframes/producerandsharp) from the official NPM registry, andtemplates/design-picker.htmlloads the GSAP animation library from the jsDelivr CDN and typography from Google Fonts. - [DYNAMIC_EXECUTION]: A custom loading script (
scripts/package-loader.mjs) manages its own dependencies by creating a temporary environment and re-executing itself when required packages are missing. - [INDIRECT_PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it processes user-provided HTML compositions and design templates.
- Ingestion points:
scripts/contrast-report.mjsreads content from a composition directory, andtemplates/design-picker.htmlrenders user-definedpreview_htmltokens. - Boundary markers: Not present in the processing logic, but the skill's documentation provides clear warnings against executable content.
- Capability inventory:
contrast-report.mjsperforms DOM evaluation via Puppeteer, and the design picker usesinnerHTMLfor rendering. - Sanitization:
references/design-picker.mdinstructs the agent to ensure that injected HTML does not contain<script>tags or event handlers, mitigating the risk of cross-site scripting in the local tool environment.
Audit Metadata