The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface. It ingests content from untrusted DESIGN.md files which are then processed by the agent. The skill has capabilities to write files and execute shell commands, creating a potential path for malicious instructions embedded in design files to influence agent actions.
Ingestion points: DESIGN.md (root and specified paths) as defined in SKILL.md and subcommand reference files.
Boundary markers: Absent. The skill does not explicitly use delimiters or instructions to ignore embedded commands when processing design file content.
Capability inventory: Significant shell execution capabilities via Bash (found in scripts/audit.sh, scripts/diff.sh, and scripts/export.sh) and file system operations (Read, Write, Edit).
Sanitization: Absent. The skill content does not demonstrate sanitization or validation of the ingested markdown prose or YAML tokens before they are evaluated.
[EXTERNAL_DOWNLOADS]: Fetches the @google/design.md package from the npm registry using npx. This is an official tool from a well-known technology organization.
[REMOTE_CODE_EXECUTION]: Executes the downloaded @google/design.md CLI package to perform design audits, token diffing, and framework-specific exports.
[COMMAND_EXECUTION]: Executes several local shell scripts and standard system utilities including git, wc, tr, and mktemp to facilitate design system management and reporting.

design-system