makepad-splash
Pass
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [SAFE]: No malicious patterns, such as credential theft or data exfiltration, were identified. The core capabilities, including runtime evaluation (cx.eval) and HTTP operations, are standard features of the documented language and are stated to run in a sandboxed environment.
- [PROMPT_INJECTION]: The skill describes an environment where AI generates code for a scripting engine, which presents a surface for indirect prompt injection if untrusted data is processed.
- Ingestion points: Input strings for cx.eval and the script! macro in SKILL.md.
- Boundary markers: No specific boundary markers or isolation instructions provided in the skill documentation.
- Capability inventory: The language support includes network operations (http object), UI manipulation (ui object), and async scheduling (timer object) as shown in SKILL.md.
- Sanitization: Not explicitly mentioned in the documentation, though a sandboxed environment is claimed for script execution.
Audit Metadata