Skills
skills/guerchele/my-skills/ui-convert-token-miner/Gen Agent Trust Hub

ui-convert-token-miner

Pass

Audited by Gen Agent Trust Hub on Apr 10, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The main execution script scripts/mine.ts spawns Python subprocesses using child_process.execFile to run its internal helper scripts xaml-extractor.py and dart-extractor.py. This is a standard architectural choice for handling multi-language parsing requirements.
  • [PROMPT_INJECTION]: The skill represents a surface for indirect prompt injection as it ingests untrusted data from the project being analyzed (source code style definitions).
  • Ingestion points: Reads arbitrary CSS, SCSS, LESS, JS, TS, XAML, and Dart files defined in the project's index.
  • Boundary markers: None; the skill relies on regex and XML parsing to extract values.
  • Capability inventory: The skill has the ability to spawn subprocesses and write results to tokens.json on the local file system.
  • Sanitization: Values are normalized into canonical formats (e.g., hex colors, pixel numbers), providing a layer of data validation before the tokens are saved.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 10, 2026, 02:27 PM