templ
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill maintains an inventory of reference documentation from the official a-h/templ GitHub repository. These sources are used to provide the agent with technical information about the library.
- [PROMPT_INJECTION]: The skill documents the surface area for indirect injection where user data enters via Go expressions in .templ files. It notes the presence of automatic HTML escaping as a boundary marker and documents sanitization methods for URLs, CSS, and JS. Potential capabilities include rendering content and executing scripts, with explicit warnings provided for sanitization bypasses.
- [REMOTE_CODE_EXECUTION]: APIs for JavaScript integration, such as templ.JSFuncCall and templ.JSExpression, are documented. The skill warns that these features can lead to arbitrary code execution if used with untrusted input, advising on safe usage patterns.
- [COMMAND_EXECUTION]: The documentation mentions standard toolchain commands like templ generate and templ fmt. These are used for generating Go code from templates and formatting source files.
Audit Metadata