cover-design

Pass

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: SAFE
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The scripts/fetch-brand-icon.sh script fetches SVG and PNG assets from well-known and trusted package registries and CDNs, including unpkg.com, jsdelivr.net, and npmmirror.com. These downloads are restricted to static image assets required for the skill's primary design functionality.
  • [COMMAND_EXECUTION]: The scripts/render-cover.sh script executes the local Google Chrome binary in headless mode. This is used to convert the generated HTML/CSS templates into high-quality PNG images, which is the core purpose of the skill.
  • [DATA_EXFILTRATION]: The scripts/extract-brand-theme.sh script performs an outbound network request using curl to fetch the HTML and CSS of a user-provided URL. This is used solely to extract brand-specific color tokens (hex/oklch) and font families for the 'Brand Matching' feature. It does not access or exfiltrate sensitive local data.
  • [PROMPT_INJECTION]: The skill instructions in SKILL.md and the reference documents follow standard operational guidelines and do not contain any patterns attempting to override agent safety filters or bypass system constraints.
  • [SAFE]: The HTML templates and CSS code provided in the templates/ directory are standard web code for layout and typography, containing no malicious scripts, obfuscated payloads, or unauthorized network calls.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 13, 2026, 12:05 PM
Security Audit — agent-trust-hub — cover-design