brand
Pass
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes content from untrusted external URLs and PDFs to extract brand voice and examples.
- Ingestion points: Brand guidelines URL, PDF, and reference sets (SKILL.md Phase 1).
- Boundary markers: Absent; there are no instructions to isolate or treat ingested content as potentially malicious data.
- Capability inventory: Playwright browser execution, file system write access to the stardust/ directory, and shell execution for opening artifacts.
- Sanitization: Extracted copy is mapped directly into the brand profile without validation or sanitization.
- [COMMAND_EXECUTION]: The skill uses the
opencommand on macOS to display the palette picker and brand board HTML files. While restricted to specific local file paths, it represents an automated interaction with the host operating system. - [EXTERNAL_DOWNLOADS]: Downloads logos and brand assets from external domains provided by the user. This is a core function of the extraction process but involves network operations to non-whitelisted domains.
Audit Metadata