design-tokens
Pass
Audited by Gen Agent Trust Hub on Jul 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill exposes a surface for indirect prompt injection through its handling of token data.
- Ingestion points: The skill ingests data from external token files (
*.tokens.json) through thedtokens/model.pymodule. - Boundary markers: The system lacks delimiters to isolate ingested token data from internal instructional templates.
- Capability inventory: The skill can write files, generate shell commands, and create HTML content with external dependencies.
- Sanitization: Token names and values are interpolated into generated prompt strings in
dtokens/export_prompt.pywithout sanitization or escaping, which could allow malicious token data to influence downstream AI models. - [COMMAND_EXECUTION]: The skill involves the generation of CLI commands and the execution of a local utility server.
- The
promptcommand generates ready-to-paste shell command strings for external scripts (gpt_image_2.pyandnano_banana.py) which are not included in the package. - The
serveandusecommands launch a local HTTP server using Python'shttp.servermodule, binding to the loopback address (127.0.0.1), and automatically open the system's web browser. - [EXTERNAL_DOWNLOADS]: The skill and its included examples reference various external assets and developer tools from well-known services.
- HTML previews and landing page examples reference resources from Google Fonts, JSdelivr, Cloudflare, UNPKG, and ESM.sh.
- These references are standard for the skill's purpose and utilize reputable content delivery networks.
Audit Metadata