wireframe
Warn
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted design documents from the
./designdirectory which can contain malicious instructions. The agent is instructed to read these files before generating the viewer, creating a surface for indirect prompt injection from data. - Ingestion points: Markdown files located in
./design/,./design/components/, and./design/GLOBAL.mdare read by the agent and the generation script. - Boundary markers: The script lacks explicit delimiters or instructions to ignore commands embedded within the design files.
- Capability inventory: The skill has the ability to write a local HTML file and trigger a browser preview via the
Browser Usetool. - Sanitization: Incomplete sanitization allows untrusted data to influence the final executable output.
- [DYNAMIC_EXECUTION]: The
scripts/generate_wireframe.pyscript generates an HTML file that incorporates untrusted input into a JavaScript block, creating a Cross-Site Scripting (XSS) vulnerability. - Evidence: In
scripts/generate_wireframe.py, thebuild_htmlfunction embeds a JSON string into a<script>tag usingjson.dumpswithout escaping the</script>sequence. This allows an attacker to include a terminating script tag and a new malicious script block in a design file (e.g.,</script><script>alert(1)</script>). - Risk: When the agent or user previews the generated wireframe, the injected JavaScript will execute in the browser context, potentially allowing for data exfiltration or session manipulation.
Audit Metadata