design-md
Warn
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill provides the source code for a Python script in
references/extract-tokens-script.mdand instructs the agent to write this code to a local file (e.g.,extract_tokens.py) and execute it usingpython extract_tokens.py <repo-path>. While the script's logic appears limited to static analysis of design tokens (colors, typography, layout), the practice of dynamic script generation and execution at runtime is a risk-prone pattern. - [PROMPT_INJECTION]: The skill fetches and processes content from untrusted external websites to extract design tokens and brand personalities (Mode 2 and Mode 3).
- Ingestion points: The agent is instructed in
references/brand-research-protocol.mdto useweb_fetchon homepage URLs and interior pages (e.g.,/about,/pricing) provided by the user or found via search. - Boundary markers: The instructions lack explicit delimiters or guidance to ignore malicious instructions that may be embedded within the HTML or CSS content of the target websites.
- Capability inventory: The agent has the capability to write and modify multiple files in the project root (
DESIGN.md,CLAUDE.md,AGENTS.md) and execute shell commands (python extract_tokens.py). - Sanitization: There is no evidence of sanitization or content validation performed on the external data before it is analyzed to influence the resulting design specification and agent instructions.
- [EXTERNAL_DOWNLOADS]: The skill fetches documentation and visual assets from external URLs. It includes a reference list of well-known design systems from trusted organizations such as Google, Apple, GitHub, and Shopify in
references/brand-research-protocol.mdto guide its research phase.
Audit Metadata