Skills
skills/hkuds/openspace/data-driven-panel/Gen Agent Trust Hub

data-driven-panel

Pass

Audited by Gen Agent Trust Hub on May 6, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill implementation patterns for DataPanel and StockPanel create an indirect prompt injection surface through unsafe DOM manipulation.
  • Ingestion points: External data is ingested from '/api/stocks' via the fetchStockData function in SKILL.md.
  • Boundary markers: Absent. Data is directly interpolated into template strings without delimiters or warnings.
  • Capability inventory: The DataPanel base class uses innerHTML in showLoading and showError methods. The StockPanel implementation uses innerHTML in the render method to inject API-sourced data into the DOM.
  • Sanitization: Absent. There is no evidence of HTML escaping or sanitization for variables such as quote.symbol or error message strings before they are rendered as HTML.
Audit Metadata
Risk Level
SAFE
Analyzed
May 6, 2026, 06:07 AM
Security Audit — agent-trust-hub — data-driven-panel