Skills
skills/santowilem/skills/clone-ui/Gen Agent Trust Hub

clone-ui

Pass

Audited by Gen Agent Trust Hub on May 10, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [SAFE]: The skill is a legitimate utility that implements security-by-design principles. It provides the agent with explicit instructions to safeguard user session data and treat third-party web content as passive data rather than executable instructions.
  • [PROMPT_INJECTION]: A static analysis alert for prompt injection was triggered by the presence of phrases like 'ignore previous instructions'. These were determined to be false positives; they appear within security guidelines instructing the agent on how to identify and neutralize malicious patterns found in the websites it processes.
  • [COMMAND_EXECUTION]: The skill utilizes localized PowerShell (save-tool-result.ps1) and Python (save-tool-result.py) helper scripts to extract and save JSON data from tool results. These scripts are functionally restricted to basic file I/O within the project workspace and do not perform network operations or system-level configuration changes.
  • [EXTERNAL_DOWNLOADS]: As part of its core UI-cloning function, the skill fetches assets such as images, icons, and HTML from user-specified URLs. It also leverages the chrome-devtools-mcp package for visual analysis, which is a recognized tool for this purpose.
  • [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection because it processes untrusted third-party website content.
  • Ingestion points: External HTML and CSS content is saved to .clone-ui/source/raw.html and .clone-ui/source/rendered.html.
  • Boundary markers: Instructions explicitly direct the agent to treat this content as untrusted data and mentally wrap it in markers to prevent it from influencing agent behavior.
  • Capability inventory: Across its scripts, the skill can perform file writes, execute the bundled Python/PowerShell helpers, and make network requests via curl and chrome-devtools-mcp.
  • Sanitization: The skill implements sanitization rules, such as stripping <script> tags and third-party tracking beacons from mirrored content, to prevent code execution when the cloned UI is reviewed locally.
Audit Metadata
Risk Level
SAFE
Analyzed
May 10, 2026, 07:16 AM