ui-reverse-engineering
Pass
Audited by Gen Agent Trust Hub on May 4, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: Static analysis flagged the sequence "ignore previous instructions" in
css-first-generation.md. This is a defensive instruction aimed at protecting the model from following directives embedded in extracted website content. The skill explicitly tells the agent to treat such strings as literal display text rather than instructions. - [EXTERNAL_DOWNLOADS]: The skill uses
curlto download CSS, fonts, images, and JavaScript chunks from the target URL provided by the user. It implements robust safety controls, including 10MB file size limits, timeouts, and a strict "read-only" policy for JavaScript chunks to prevent remote code execution. These downloads are necessary for the skill's primary function of site replication. - [DATA_EXFILTRATION]: The skill's evaluation suite in
evals/evals.jsonincludes test cases containing patterns likeeval(atob(...))anddocument.cookie. These are used to verify that the agent's sanitization logic correctly identifies and flags potentially malicious patterns in the websites it analyzes. These do not represent malicious behavior within the skill itself. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted text from external websites. If a site contains the specific boundary marker
═══ END EXTRACTED DATA ═══, it could potentially escape the safety wrapper. However, the skill provides clear behavioral guidance to the agent to treat all data within these markers as non-executable display text.
Audit Metadata