The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests data from an external configuration file and processes it without adequate security boundaries. • Ingestion points: The file .claude/design-tokens/design-tokens.json is read entirely into the agent's context (SKILL.md). • Boundary markers: Absent. The skill does not use delimiters or provide instructions to the agent to treat the JSON content as untrusted data or to ignore embedded instructions. • Capability inventory: The skill has access to Bash, Read, Grep, and Glob tools, which could be leveraged if an attacker successfully injects instructions into the design tokens file. • Sanitization: Absent. There is no validation or escaping of the token names, color values, or library names before they are used in search patterns or logic.

figma-to-design-audit