custom-icons
Pass
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The
SKILL.mdfile defines shell command templates, such aspotrace "tmp/output/<name>.pbm" -o "src/assets/icons/<name>.svg", which incorporate user-supplied variables like<name>. Without proper sanitization by the agent, this pattern creates a risk for command injection or path traversal, potentially allowing a malicious user to execute arbitrary shell commands or overwrite sensitive files on the host system.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted data and uses it to drive powerful capabilities.\n - Ingestion points: User-specified icon 'subjects' and 'names' gathered during the Phase 1 discovery process.\n
- Boundary markers: The instructions lack explicit delimiters or safety warnings to prevent user-supplied strings from being interpreted as instructions or command flags.\n
- Capability inventory: Extensive use of subprocess calls to local Python scripts (
crop_and_trace.py,remove_chroma_key.py) and external binaries (potrace,svgo).\n - Sanitization: No input validation or character escaping is defined for user-supplied strings before they are interpolated into shell commands.\n- [EXTERNAL_DOWNLOADS]: Fetches and executes the
svgoutility from the npm registry usingbunxto perform SVG optimization. This is a standard workflow for asset optimization and utilizes a well-known technology service.
Audit Metadata