Skills
skills/adobe/skills/prototype/Gen Agent Trust Hub

prototype

Fail

Audited by Gen Agent Trust Hub on May 5, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill is instructed to clone an external GitHub repository (paolomoz/stardust-2) and execute a 'manifest validator' script contained within it during the sample publishing flow. Executing code from a non-vendor-controlled and unverified source represents a significant security risk.\n- [DATA_EXFILTRATION]: Through the --publish-sample flag, the skill prepares and sends local project artifacts—including redesign HTML, site metadata, and direction documents—to an external third-party repository via a Pull Request. While this is a described feature, it involves transferring internal project data to a public repository.\n- [COMMAND_EXECUTION]: The skill utilizes the GitHub CLI (gh) for repository cloning and Pull Request management. It also executes system commands such as 'open', 'xdg-open', and 'start' to launch the browser and view generated prototype files.\n- [EXTERNAL_DOWNLOADS]: Performs a 'git clone' of an external repository from GitHub (paolomoz/stardust-2) to stage files for the showcase functionality.\n- [PROMPT_INJECTION]: The skill processes content captured from external websites (stored in stardust/current/pages/.json) to generate new HTML mockups. This introduces a surface for indirect prompt injection where instructions hidden in the source website could be interpreted by the AI during the 'craft' phase.\n
  • Ingestion points: reads site structure and content from stardust/current/pages/.json and brand data from stardust/current/_brand-extraction.json.\n
  • Boundary markers: Implements a 'content sourcing hierarchy' and requires explicit 'PLACEHOLDER' markers for content not found in the original source, which helps mitigate fabrication but not necessarily instruction injection.\n
  • Capability inventory: Executes gh CLI, opens system browser, and performs extensive file-write operations to the local filesystem.\n
  • Sanitization: Uses a deterministic 'critique' pass and validates hard-coded design rules (token contracts, data attributes) to check the quality of the output.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 5, 2026, 10:20 AM