design-tokens

Pass

Audited by Gen Agent Trust Hub on Jul 5, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill exposes a surface for indirect prompt injection through its handling of token data.
  • Ingestion points: The skill ingests data from external token files (*.tokens.json) through the dtokens/model.py module.
  • Boundary markers: The system lacks delimiters to isolate ingested token data from internal instructional templates.
  • Capability inventory: The skill can write files, generate shell commands, and create HTML content with external dependencies.
  • Sanitization: Token names and values are interpolated into generated prompt strings in dtokens/export_prompt.py without sanitization or escaping, which could allow malicious token data to influence downstream AI models.
  • [COMMAND_EXECUTION]: The skill involves the generation of CLI commands and the execution of a local utility server.
  • The prompt command generates ready-to-paste shell command strings for external scripts (gpt_image_2.py and nano_banana.py) which are not included in the package.
  • The serve and use commands launch a local HTTP server using Python's http.server module, binding to the loopback address (127.0.0.1), and automatically open the system's web browser.
  • [EXTERNAL_DOWNLOADS]: The skill and its included examples reference various external assets and developer tools from well-known services.
  • HTML previews and landing page examples reference resources from Google Fonts, JSdelivr, Cloudflare, UNPKG, and ESM.sh.
  • These references are standard for the skill's purpose and utilize reputable content delivery networks.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 5, 2026, 02:34 PM
Security Audit — agent-trust-hub — design-tokens