distill
Pass
Audited by Gen Agent Trust Hub on Apr 20, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted UI code and content.
- Ingestion points: The agent reads and processes UI components, text, and structure described by the user or found in the local project files (SKILL.md).
- Boundary markers: There are no explicit instructions or delimiters to ignore embedded instructions within the UI data being distilled.
- Capability inventory: The skill explicitly authorizes the agent to 'Edit code directly'.
- Sanitization: No validation or sanitization of processed UI content is defined to prevent instructions embedded in the UI from influencing the agent's behavior.
- [COMMAND_EXECUTION]: The skill instructs the agent to 'Edit code directly' and apply 'Visual weight reduction' or 'Structure' changes to the codebase. While these are the primary intended functions, they represent high-privilege file system operations that could be abused if the agent is misled by injected content.
Audit Metadata