basic-app-build
Pass
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill's HTML templates load the
ryuu.jslibrary fromunpkg.comand React/Recharts libraries fromesm.sh. These are well-known content delivery networks (CDNs) for standard web development packages. - [COMMAND_EXECUTION]: The playbook instructs the agent to perform operational commands such as
npm run buildanddomo publish. These commands are necessary for the skill's primary function of building and deploying applications. - [DATA_EXFILTRATION]: The provided code templates include logic to fetch data from Domo datasets using the
domo.get()API. While this involves data access, it is the core functionality required for visualizing data within the application, and no unauthorized external destinations were detected. - [INDIRECT_PROMPT_INJECTION]: The skill is designed to process external data which introduces a potential surface for indirect instructions.
- Ingestion points: The application templates ingest data from Domo datasets via the
domo.get('/data/v1/'+ALIAS)endpoint in theapp.jsfile. - Boundary markers: The skill does not explicitly define delimiters for the data processed by the charts, although this is typical for visualization components.
- Capability inventory: The skill can perform network operations (Domo APIs), write files (scaffolding code), and execute shell commands (
domo publish). - Sanitization: The templates leverage React, which provides default protection against many common injection attacks during the rendering process.
Audit Metadata