fe-design-pr
Pass
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes multiple shell commands using the
ghCLI to interact with GitHub issues, Pull Requests, and the Git Data API. It also runs a bundled Node.js script (upload-attachments.mjs) to manage binary artifact uploads. - [COMMAND_EXECUTION]: The skill automatically starts the project's Storybook server in the background by executing scripts defined in
package.json(e.g.,npm run storybook) if the service is not already reachable. - [EXTERNAL_DOWNLOADS]: Fetches data from GitHub and JIRA APIs to parse issue descriptions and comments. These are well-known services and the skill uses official MCPs or authenticated CLIs for access.
- [PROMPT_INJECTION]: The skill is exposed to indirect prompt injection via the following surface area:
- Ingestion points: GitHub/JIRA issue bodies, comments, and Figma layer metadata (
SKILL.mdworkflow steps 1 and 2). - Boundary markers: Uses fenced code blocks to quote untrusted data in the PR body and includes specific instructions to the agent to treat this content as data, never as imperatives.
- Capability inventory: The skill can create/update PRs, push to Git refs, move local files, and dispatch tasks to subagents (
SKILL.md,upload-attachments.md). - Sanitization: Implements a strict regex validation (
^\.fe-design-cache/diff/[^/]+\.png$) for artifact paths to prevent directory traversal attacks that could be triggered by malicious Figma metadata. - [SAFE]: The skill implements an explicit confirmation gate (
gate-prompt.md) where the user must review the parsed intent and components before any implementation or PR creation occurs, providing a human-in-the-loop safety check.
Audit Metadata