design-md
Pass
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is subject to indirect prompt injection because it instructs the agent to read and internalize instructions from external project files.
- Ingestion points: The agent is directed to read and internalize content from
DESIGN.md,docs/DESIGN.md, ordesign/DESIGN.mdfound in the user's workspace. - Boundary markers: There are no specific boundary markers or warnings to ignore malicious instructions within the processed files; the agent is explicitly told to treat the file as a "source of truth" and "internalize" its prose sections.
- Capability inventory: The skill possesses significant capabilities including file system access (Read, Write, Edit, Glob), shell command execution via
npx, and text search viaGrep. - Sanitization: While the skill utilizes a structural linter (
npx @google/design.md lint), this tool validates the token schema and structure but does not sanitize the natural language prose (## Overview,## Do's and Don'ts) where malicious instructions could be embedded. - [EXTERNAL_DOWNLOADS]: The skill fetches and executes the
@google/design.mdpackage from the NPM registry vianpx. This package originates from a trusted organization and its use is documented neutrally as a functional requirement for linting and exporting design tokens.
Audit Metadata