The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill uses npx getdesign@latest in both the SKILL.md instructions and the scripts/getdesign-helper.mjs script to dynamically download and execute code from the NPM registry at runtime. This introduces a supply chain risk as the agent executes unversioned remote code.
[COMMAND_EXECUTION]: The scripts/getdesign-helper.mjs helper script uses execFileSync to run shell commands. On Windows, it invokes cmd.exe with a manually constructed command string. The quoting logic in buildWindowsCommand uses backslash-escaping for double quotes (\"), which may not be robust against all command injection vectors in the Windows shell environment, especially since the input slug is not strictly validated before being passed to the shell.
[EXTERNAL_DOWNLOADS]: The skill fetches external content (design specifications) from the getdesign.md catalog via the getdesign tool. This involves network operations to retrieve markdown files that are then processed by the agent.
[PROMPT_INJECTION]: The skill creates an indirect prompt injection surface. It ingests untrusted markdown data from remote design specifications and uses that content to guide its code generation process. Maliciously crafted design files in the upstream catalog could contain instructions designed to influence the agent's output or behavior during the UI generation phase.
Ingestion points: Remote DESIGN.md files fetched via npx getdesign add. (scripts/getdesign-helper.mjs)
Boundary markers: Absent. The design content is read and directly used to extract design tokens without explicit delimiters or warnings to ignore embedded instructions.
Capability inventory: The agent has the capability to write files and execute shell commands (Bash tool) which could be targeted by a successful injection.
Sanitization: No sanitization or validation of the fetched design content is performed before the agent processes it.

brand-design-md