goose-graphics-create-style

Pass

Audited by Gen Agent Trust Hub on Jul 2, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes various shell commands to manage styles, including npx gooseworks styles publish and npx gooseworks styles get. It also executes a local Node.js script (screenshot.js) from the goose-graphics skill to render example images.
  • [EXTERNAL_DOWNLOADS]: The skill performs legitimate downloads of platform dependencies and browser binaries via npm install and npx playwright install chromium. It also communicates with skills.gooseworks.ai to search and retrieve style specifications.
  • [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by processing untrusted image files (--ref). While the agent is instructed to perform technical analysis (palette, typography), metadata or OCR content within the image could attempt to influence the generated style description or design specification.
  • [DYNAMIC_EXECUTION]: The workflow involves generating dynamic HTML files based on analyzed image properties and then executing them through a headless browser (Playwright) to produce PNG renders. This is a controlled execution environment for asset generation.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 2, 2026, 06:17 AM
Security Audit — agent-trust-hub — goose-graphics-create-style