website-to-hyperframes
Pass
Audited by Gen Agent Trust Hub on May 4, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface because it processes untrusted data from arbitrary external URLs.
- Ingestion points: Website content is extracted into files such as
capture/extracted/visible-text.txtandcapture/extracted/asset-descriptions.md, as described inreferences/step-1-capture.md. - Boundary markers: No explicit delimiters or specific instructions to ignore embedded commands within the captured content were found in the provided documentation.
- Capability inventory: The skill possesses significant capabilities, including executing shell commands (
npx hyperframes), writing files to the project directory, and spawning sub-agents to process the captured content. - Sanitization: There is no mention of sanitization or filtering of the extracted website text before it is used to generate the
SCRIPT.mdandSTORYBOARD.md, creating a path where malicious site content could influence agent behavior. - [COMMAND_EXECUTION]: The workflow relies heavily on executing shell commands through the
npxrunner to interact with the corehyperframestoolset. - Evidence: Multiple commands are used, including
npx hyperframes capture <URL>,npx hyperframes lint,npx hyperframes validate,npx hyperframes snapshot, andnpx hyperframes render. - The
capturecommand directly incorporates a user-supplied URL as an argument, which is necessary for functionality but requires the underlying tool to handle untrusted input securely.
Audit Metadata