dashboard-builder
Pass
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTIONNO_CODE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to use popular third-party charting libraries such as Chart.js, Apache ECharts, or D3.js by referencing them via CDNs. This is a standard and recommended method for creating self-contained dashboards.
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it ingests untrusted data from CSV files, local folders, or user-pasted text and incorporates that data into a generated HTML file. Without instructions to sanitize or escape this content, malicious data could lead to cross-site scripting (XSS) in the generated dashboard.
- Ingestion points: Data is read from files, folders, or direct user input as described in SKILL.md and exemplified in evals.json.
- Boundary markers: There are no specific instructions to use delimiters or ignore embedded instructions within the processed data.
- Capability inventory: The agent reads local data sources and writes the resulting HTML file to the workspace.
- Sanitization: The instructions focus on formatting numbers and charts for readability but do not include specific security-focused sanitization for data-driven strings.
- [NO_CODE]: The skill package consists only of documentation and evaluation configuration files; it does not include any executable scripts, binaries, or source code files.
Audit Metadata