ui-capture
Pass
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill documentation includes a manual installation command that fetches a shell script from the author's GitHub repository and pipes it directly to the shell.
- Evidence in
SKILL.md:curl -LsSf https://raw.githubusercontent.com/voidmatcha/ui-clone-skills/main/install.sh | bash - The skill explicitly instructs the agent not to auto-execute this command, instead prompting the user to run it manually if dependencies are missing.
- [EXTERNAL_DOWNLOADS]: The skill is designed to navigate to and download data from arbitrary external websites as part of its primary capture function.
- Ingestion occurs via the
agent-browsertool for screenshots, video recording, and DOM metadata extraction. - [PROMPT_INJECTION]: The skill processes content from untrusted third-party websites, which constitutes an indirect prompt injection surface.
- Ingestion points:
agent-browser evalandscreenshotcommands inSKILL.mdanddetection.mdread data from third-party sites. - Capability inventory: Includes file system operations (
mkdir,cp), browser control (agent-browser), and video processing (ffmpeg). - Sanitization:
SKILL.mdanddetection.mdinclude explicit instructions for the agent to sanitize output, skip suspicious URIs, and redact directive-like text found in class names or attributes. - Boundary markers: The skill uses structured data (
regions.json) to handle results, but no specific boundary markers are defined for the prompt interpolation itself. - [COMMAND_EXECUTION]: The skill executes various local commands to process captured assets and manage the local environment.
- Tools used:
agent-browser,ffmpeg,npx,mkdir, andmv. - Arguments for these commands are derived from user-provided URLs and CSS selectors detected during page analysis.
Audit Metadata