brainstorming
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill initiates a persistent local Node.js server (
server.cjs) via a background shell script (start-server.sh). This server facilitates the 'Visual Companion' feature by listening on a random high port and serving HTML content across multiple agent turns. - [DATA_EXFILTRATION]: The visual companion server exposes files from a session-specific directory (
SCREEN_DIR) to the network. Although it implements path sanitization usingpath.basename, the inclusion of an optional--hostflag allows the server to bind to non-loopback interfaces (e.g.,0.0.0.0), which could permit external access to project designs or mockups. - [PROMPT_INJECTION]: The skill instructions mandate the exploration of untrusted project data, including source files, documentation, and commit history, to gather design context. This workflow presents an attack surface for indirect prompt injection.
- Ingestion points: The
SKILL.mdfile specifies that the agent should 'check files, docs, recent commits' and 'explore project context' as the first step of its process. - Boundary markers: The skill does not define specific delimiters or instructional guardrails (e.g., 'ignore previous instructions') when ingesting these project-level data sources.
- Capability inventory: Across its scripts, the skill possesses the ability to execute shell commands (
bash), write files to the project directory (docs/design/), and dispatch subagents (document-reviewer). - Sanitization: There is no documented mechanism for validating or sanitizing the content of project files before it is processed by the LLM.
Audit Metadata