cover-design
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The
scripts/fetch-brand-icon.shscript fetches SVG and PNG assets from well-known and trusted package registries and CDNs, includingunpkg.com,jsdelivr.net, andnpmmirror.com. These downloads are restricted to static image assets required for the skill's primary design functionality. - [COMMAND_EXECUTION]: The
scripts/render-cover.shscript executes the local Google Chrome binary in headless mode. This is used to convert the generated HTML/CSS templates into high-quality PNG images, which is the core purpose of the skill. - [DATA_EXFILTRATION]: The
scripts/extract-brand-theme.shscript performs an outbound network request usingcurlto fetch the HTML and CSS of a user-provided URL. This is used solely to extract brand-specific color tokens (hex/oklch) and font families for the 'Brand Matching' feature. It does not access or exfiltrate sensitive local data. - [PROMPT_INJECTION]: The skill instructions in
SKILL.mdand the reference documents follow standard operational guidelines and do not contain any patterns attempting to override agent safety filters or bypass system constraints. - [SAFE]: The HTML templates and CSS code provided in the
templates/directory are standard web code for layout and typography, containing no malicious scripts, obfuscated payloads, or unauthorized network calls.
Audit Metadata