design-md

Warn

Audited by Gen Agent Trust Hub on May 2, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill provides the source code for a Python script in references/extract-tokens-script.md and instructs the agent to write this code to a local file (e.g., extract_tokens.py) and execute it using python extract_tokens.py <repo-path>. While the script's logic appears limited to static analysis of design tokens (colors, typography, layout), the practice of dynamic script generation and execution at runtime is a risk-prone pattern.
  • [PROMPT_INJECTION]: The skill fetches and processes content from untrusted external websites to extract design tokens and brand personalities (Mode 2 and Mode 3).
  • Ingestion points: The agent is instructed in references/brand-research-protocol.md to use web_fetch on homepage URLs and interior pages (e.g., /about, /pricing) provided by the user or found via search.
  • Boundary markers: The instructions lack explicit delimiters or guidance to ignore malicious instructions that may be embedded within the HTML or CSS content of the target websites.
  • Capability inventory: The agent has the capability to write and modify multiple files in the project root (DESIGN.md, CLAUDE.md, AGENTS.md) and execute shell commands (python extract_tokens.py).
  • Sanitization: There is no evidence of sanitization or content validation performed on the external data before it is analyzed to influence the resulting design specification and agent instructions.
  • [EXTERNAL_DOWNLOADS]: The skill fetches documentation and visual assets from external URLs. It includes a reference list of well-known design systems from trusted organizations such as Google, Apple, GitHub, and Shopify in references/brand-research-protocol.md to guide its research phase.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 2, 2026, 06:21 AM
Security Audit — agent-trust-hub — design-md