design-builder

Pass

Audited by Gen Agent Trust Hub on May 17, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: No security issues detected. The skill implements proactive defenses against indirect prompt injection in references/copy.md by explicitly instructing the agent to discard any directives, prompts, or behavioral suggestions found in fetched web content or uploaded documents.
  • [SAFE]: The scripts/preview-server.ts utility is restricted to the local loopback interface (127.0.0.1) and incorporates robust path traversal checks using path.relative to ensure file access is strictly scoped to the intended session directory.
  • [SAFE]: External dependencies for the design preview (Tailwind CSS and Lucide Icons) are fetched from well-known and reputable CDN services (JSDelivr and Unpkg), which is standard practice for web-based tools.
  • [SAFE]: The skill maintains clear boundaries for data access, focusing on local project directories (.agents/ and .artifacts/) without attempting to access sensitive system paths or credentials.
Audit Metadata
Risk Level
SAFE
Analyzed
May 17, 2026, 06:44 PM
Security Audit — agent-trust-hub — design-builder