Skills
skills/lintendo/axhub-skills/extract-axure-data/Gen Agent Trust Hub

extract-axure-data

Warn

Audited by Gen Agent Trust Hub on Apr 14, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The 'extract.mjs' script automatically downloads the 'playwright' package and Chromium browser from external sources on first run, saving them to '~/.cache/axure-extractor/'.
  • [REMOTE_CODE_EXECUTION]: The script fetches JavaScript files from the provided Axure URL and executes them via 'vm.runInContext', allowing code from an external source to run in the Node.js process.
  • [COMMAND_EXECUTION]: The skill uses 'execSync' to run shell commands for installing software. It also launches a browser instance with security flags disabled ('--disable-web-security').
  • [PROMPT_INJECTION]: The skill processes text and component notes from external prototypes, which could contain malicious instructions for the agent.
  • Ingestion points: Remote prototype URLs provided by the user.
  • Boundary markers: None present.
  • Capability inventory: Includes shell command execution, network requests, and file system writes.
  • Sanitization: No validation or sanitization is performed on the extracted prototype content.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 14, 2026, 12:59 AM