add-assets
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill's functionality is restricted to local file system operations within a user-provided game project directory. It generates pixel art sprites as code textures (using a
PixelRenderer.jsutility) rather than downloading external assets. - [INDIRECT_PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection due to its requirement to read and process local project files.
- Ingestion points: Instructions specify reading
package.json,src/core/Constants.js, and all files matchingsrc/entities/*.jsin the target project. - Boundary markers: There are no explicit markers or instructions to isolate the ingested file content from the agent's command context.
- Capability inventory: The skill creates multiple new files (e.g.,
src/core/PixelRenderer.js,src/sprites/player.js) and modifies existing entity constructors to replace shape-drawing calls with sprite-rendering calls. - Sanitization: No sanitization or validation logic is defined for the content extracted from the project files during the audit phase.
- [COMMAND_EXECUTION]: The skill suggests running
npm run buildand/game-creator:qa-gameas part of the verification process. These are standard development workflows for verifying code changes and updating visual regression snapshots in a game engine environment.
Audit Metadata