weasyprint

Pass

Audited by Gen Agent Trust Hub on Jun 15, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill provides exhaustive instructions for installing the weasyprint Python library and its required native dependencies (such as Pango, HarfBuzz, and Fontconfig) through standard distribution channels like pip, apt, brew, and pacman across Linux, macOS, and Windows platforms.
  • [COMMAND_EXECUTION]: The skill contains utility scripts (e.g., scripts/render-courtbouillon-sample.sh and scripts/render-all-courtbouillon-samples.ps1) that execute local shell commands. These scripts are used to run the WeasyPrint command-line tool against the included HTML and CSS templates to generate sample PDF files.
  • [COMMAND_EXECUTION]: Technical documentation within the skill (specifically in common_use_cases.md) contains command-line snippets using sudo for administrative tasks such as configuring self-signed SSL certificates and updating certificate authority bundles on a server.
  • [SAFE]: The skill includes dedicated security modules (security-untrusted-html.md, security-url-fetcher.md) that proactively warn about risks like SSRF, information leaks, and path traversal when processing untrusted input. It provides best-practice hardening examples, including the implementation of custom URL fetchers to block sensitive protocols like file://.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 15, 2026, 10:43 AM
Security Audit — agent-trust-hub — weasyprint