widgets-ui
Pass
Audited by Gen Agent Trust Hub on Jun 12, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches a component registry from
https://ui.inference.sh/r/widgets.jsonand images fromhttps://cloud.inference.sh. These resources are official endpoints for the UI service described. - [REMOTE_CODE_EXECUTION]: Provides instructions to execute
npx shadcnfor adding remote components andnpx skillsfor installing related toolkits. These are standard development workflows for the inference.sh ecosystem and originate from service-related domains. - [PROMPT_INJECTION]: The skill facilitates the processing of external data for UI rendering, creating a surface for indirect prompt injection.
- Ingestion points: The
WidgetRenderercomponent (SKILL.md) processes JSON-basedwidgetobjects. - Boundary markers: No explicit delimiter or instruction-filtering markers are defined in the documentation.
- Capability inventory: The renderer supports creating interactive buttons, forms, inputs, and images with associated click/submit actions.
- Sanitization: Sanitization and data validation are handled by the core
WidgetRendererimplementation logic.
Audit Metadata