Skills
skills/olshansk/agent-skills/skills-dashboard/Gen Agent Trust Hub

skills-dashboard

Pass

Audited by Gen Agent Trust Hub on Apr 26, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The generated HTML dashboard references well-known external resources to facilitate rendering and styling.
  • Fetches the Plotly.js library from the official Plotly CDN (cdn.plot.ly).
  • Retrieves styling assets from Google Fonts (fonts.googleapis.com and fonts.gstatic.com).
  • [DATA_EXFILTRATION]: The skill performs network requests to https://skills.sh/api/search to gather data. While this involves data transfer from the internet, it is the primary intended function of the skill and does not involve the transmission of sensitive local user data.
  • [PROMPT_INJECTION]: The skill processes untrusted data from an external registry, which creates a surface for indirect prompt injection.
  • Ingestion points: External data is ingested from the skills.sh API into scripts/scrape_and_build.py.
  • Boundary markers: There are no explicit delimiters or instructions to the agent to ignore embedded commands within the fetched data before summarizing it in the console.
  • Capability inventory: The skill has access to Bash, Write, and Edit tools as defined in SKILL.md, which could be abused if the agent is misled by data content.
  • Sanitization: The script uses json.dumps for embedding data into the HTML dashboard, which provides minimal protection; it lacks rigorous sanitization for strings printed to the agent's stdout or rendered in the final dashboard.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 26, 2026, 09:21 PM