refero-styles
Pass
Audited by Gen Agent Trust Hub on May 4, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches design artifacts (markdown, CSS, JSON) from the external domain 'styles.refero.design'.\n
- Evidence: The 'refero.py' script uses the 'httpx' library to perform GET requests to 'https://styles.refero.design' to retrieve style summaries and detailed artifacts.\n- [PROMPT_INJECTION]: The skill demonstrates an indirect prompt injection surface by processing untrusted external content as instructions for the agent.\n
- Ingestion points: 'refero.py' downloads 'DESIGN.md' from the remote service and saves it to a local 'reference/' directory; the 'SKILL.md' then explicitly instructs the agent to read these files for design guidance.\n
- Boundary markers: There are no boundary markers or 'ignore embedded instructions' warnings provided in 'SKILL.md' when the agent is directed to use the downloaded content.\n
- Capability inventory: The skill has the capability to write files, perform network operations to its target domain, and execute its own local Python script.\n
- Sanitization: The 'refero.py' script performs HTML unescaping on the scraped markdown but does not implement validation or filtering to prevent malicious instructions from being ingested into the agent context.
Audit Metadata