Skills
skills/keejkrej/design-skills/p5js/Gen Agent Trust Hub

p5js

Warn

Audited by Gen Agent Trust Hub on May 14, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [DATA_EXFILTRATION]: The scripts/export-frames.js file configures the Puppeteer headless browser with the --disable-web-security and --allow-file-access-from-files flags. This configuration allows any JavaScript code within the generated p5.js sketch to read arbitrary local files from the host system (e.g., using fetch('file:///etc/passwd')) and potentially render their content into captured frames or exfiltrate them.
  • [COMMAND_EXECUTION]: The skill includes shell scripts (scripts/render.sh, scripts/serve.sh, scripts/setup.sh) that execute various local commands, including node, ffmpeg, and python3. While variables are generally quoted to prevent simple shell injection, the execution of complex pipelines with external binaries increases the overall risk profile.
  • [EXTERNAL_DOWNLOADS]: The skill is designed to fetch the p5.js core library and several addons (p5.sound, p5.js-svg, CCapture.js) from public content delivery networks including cdnjs.cloudflare.com and cdn.jsdelivr.net.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 14, 2026, 12:50 PM