team-ui-polish
Pass
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its processing of untrusted external content.
- Ingestion points: The scanner role consumes data from external URLs and local source code files as described in roles/scanner/role.md.
- Boundary markers: Analysis of the instruction files shows an absence of clear boundaries or instructions to the agent to disregard commands found within the target data.
- Capability inventory: Across its scripts, the skill utilizes Bash, Write, Edit, and Agent tools, providing a high-privilege environment for potential exploitation.
- Sanitization: Content retrieved from external targets is not sanitized before being utilized by the various worker agents in the pipeline.
- [COMMAND_EXECUTION]: The skill utilizes the Bash tool within the coordinator role (roles/coordinator/role.md) to identify the project root and resolve environment paths. It also employs the Agent tool to orchestrate a team of specialized workers by spawning them with dynamic prompts as defined in roles/coordinator/commands/monitor.md.
- [REMOTE_CODE_EXECUTION]: The scanner role (roles/scanner/role.md) executes JavaScript within target web pages via mcp__chrome-devtools__evaluate_script to retrieve computed styles and layout information.
Audit Metadata