glm-design-to-code-trial
Pass
Audited by Gen Agent Trust Hub on May 3, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXFILTRATION]: Transmits user-provided assets, such as screenshots and text descriptions, to the Z.ai API (api.z.ai) for code generation. This network operation is the primary purpose of the skill.
- [COMMAND_EXECUTION]: Executes local bash commands to manage environment variables, encode image data into base64, and perform HTTP requests via curl. The shell scripts are designed to handle API keys securely and sanitize inputs.
- [EXTERNAL_DOWNLOADS]: Connects to external API endpoints at api.z.ai to fetch generated HTML, CSS, and JS content. The skill validates the API key before processing the main request to ensure connectivity.
- [SAFE]: Implements best practices for credential management by checking for API keys in .env files and automatically ensuring .env is added to .gitignore. The file extraction logic specifically filters for path traversal attempts ('..') and sanitizes filenames to ensure safe local writes.
Audit Metadata