design-refinement
Pass
Audited by Gen Agent Trust Hub on Apr 2, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through the processing and expansion of untrusted design tree data.
- Ingestion points: Untrusted data enters the agent context via the 'design_state' input, specifically within the 'design_tree' and 'open_branches' fields (found in SKILL.md and SKILL-zh-CN.md).
- Boundary markers: The instructions do not define delimiters or provide specific warnings to ignore embedded instructions within the tree nodes, increasing the risk that the agent may follow malicious directives found in the design data.
- Capability inventory: The skill grants the agent the capability to perform 'deep validation of external dependencies' for '[RESEARCH]' nodes. This allows an attacker to potentially influence the agent's research behavior or tool usage by embedding malicious integration patterns or URLs in the design tree.
- Sanitization: There is no evidence of sanitization, validation, or escaping of external content before it is processed by the agent.
Audit Metadata