logo-design
Pass
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to use the shell command
open(macOS) to preview generated SVG files. The filenames used in this command are dynamically constructed using the{brand}variable, which is directly supplied by the user. If a user provides a malicious brand name containing shell metacharacters (e.g.,$(command)), it could lead to command injection in the agent's execution environment. - [EXTERNAL_DOWNLOADS]: The skill utilizes the
WebSearchtool to gather market trends and competitor information. This data is then incorporated into the design process, which is a standard and expected behavior for this use case. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8):
- Ingestion points: Data enters the agent's context through
WebSearchresults and user-provided brand information in SKILL.md (Phases 1 and 2). - Boundary markers: The instructions do not define clear boundaries or delimiters to isolate untrusted external content from the agent's internal logic.
- Capability inventory: The agent has the capability to write files to the local file system (the
logos/directory) and execute shell commands (open) to display those files. - Sanitization: There is no mention of sanitizing or validating the content extracted from search results or user input before it is interpolated into the generated SVG code. This could allow an attacker to inject malicious scripts (XSS) into the SVG file, which would execute in the user's browser when the file is opened.
Audit Metadata