iblai-design
Pass
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill uses
npx impeccablein its allowed tools, which downloads and executes an external package from the npm registry at runtime. - [REMOTE_CODE_EXECUTION]: The script
live-server.mjsinitializes a local HTTP server on the host machine to facilitate browser-agent communication and usesspawnto manage detached background processes. - [REMOTE_CODE_EXECUTION]:
live-poll.mjsdynamically executes other Node.js scripts within the skill's directory usingexecFileSyncto handle browser-triggered events. - [COMMAND_EXECUTION]: The script
pin.mjsprogrammatically modifies the AI agent's internal configuration by creating new subdirectories andSKILL.mdfiles within harness-specific skill folders (e.g.,.claude/skills/). - [COMMAND_EXECUTION]:
cleanup-deprecated.mjsperforms automated directory and file deletions within the agent's skill environment based on heuristic content checks ofSKILL.mdfiles. - [COMMAND_EXECUTION]: Multiple scripts, including
live-inject.mjsandlive-wrap.mjs, perform automated modifications of the user's project source files (HTML, JSX, TSX, etc.) to inject script tags and UI wrappers. - [PROMPT_INJECTION]: The skill has a vulnerability surface for indirect prompt injection:
- Ingestion points:
load-context.mjsreads content from untrusted project files likePRODUCT.mdandDESIGN.md. - Boundary markers: Absent; the content of these files is used to guide design decisions without clear delimiters.
- Capability inventory: The skill has access to shell execution (
Bash) and extensive file write capabilities across the project and agent environment. - Sanitization: No validation or sanitization of the markdown content from context files was observed before it influences agent behavior.
Audit Metadata