Skills
skills/hotpheex/jutsu/ui-journey/Gen Agent Trust Hub

ui-journey

Warn

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: In lib/capture.ts, the skill uses execSync to run Git commands. While the current arguments are hardcoded, the use of a shell-executing function is a sensitive pattern that could lead to command injection if user-provided strings are ever included in the command.
  • [DATA_EXFILTRATION]: The skill extracts Git repository metadata and captures automated screenshots of the application. This poses a risk of exposing sensitive data, such as API keys or user information, if they appear in the UI during a capture milestone.
  • [REMOTE_CODE_EXECUTION]: The generated index.html report template in assets/viewer.html is vulnerable to Stored Cross-Site Scripting (XSS). It uses .innerHTML to render the Git branch name retrieved from the manifest. An attacker who controls the branch name in a repository could inject malicious scripts that execute in the browser of any user viewing the development journey.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 19, 2026, 11:34 AM
Security Audit — agent-trust-hub — ui-journey