goose-graphics-create-style
Pass
Audited by Gen Agent Trust Hub on Jul 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill executes various shell commands to manage styles, including
npx gooseworks styles publishandnpx gooseworks styles get. It also executes a local Node.js script (screenshot.js) from thegoose-graphicsskill to render example images. - [EXTERNAL_DOWNLOADS]: The skill performs legitimate downloads of platform dependencies and browser binaries via
npm installandnpx playwright install chromium. It also communicates withskills.gooseworks.aito search and retrieve style specifications. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by processing untrusted image files (
--ref). While the agent is instructed to perform technical analysis (palette, typography), metadata or OCR content within the image could attempt to influence the generated style description or design specification. - [DYNAMIC_EXECUTION]: The workflow involves generating dynamic HTML files based on analyzed image properties and then executing them through a headless browser (Playwright) to produce PNG renders. This is a controlled execution environment for asset generation.
Audit Metadata