design-builder
Pass
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No security issues detected. The skill implements proactive defenses against indirect prompt injection in
references/copy.mdby explicitly instructing the agent to discard any directives, prompts, or behavioral suggestions found in fetched web content or uploaded documents. - [SAFE]: The
scripts/preview-server.tsutility is restricted to the local loopback interface (127.0.0.1) and incorporates robust path traversal checks usingpath.relativeto ensure file access is strictly scoped to the intended session directory. - [SAFE]: External dependencies for the design preview (Tailwind CSS and Lucide Icons) are fetched from well-known and reputable CDN services (JSDelivr and Unpkg), which is standard practice for web-based tools.
- [SAFE]: The skill maintains clear boundaries for data access, focusing on local project directories (
.agents/and.artifacts/) without attempting to access sensitive system paths or credentials.
Audit Metadata