qiaomu-design
Pass
Audited by Gen Agent Trust Hub on Jul 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides utility scripts (
scripts/qiaomu-design-preview-server.mjsandscripts/qiaomu-design-watch-selection.mjs) to enable an interactive design workflow. The preview server script initiates a local HTTP server on127.0.0.1and utilizeschild_process.spawnto launch the user's default browser. The code includes safety checks, such as verifying that requested file paths are within the designated root directory to prevent path traversal. - [PROMPT_INJECTION]: The skill implements a 'Self-Evolution Protocol' described in
SKILL.mdthat reads from and writes toreferences/user-preferences.md. This creates a vulnerability surface for indirect prompt injection where user feedback is incorporated into the agent's future instruction context. - Ingestion points: Feedback is persisted in
references/user-preferences.mdand read by the agent before every task. - Boundary markers: The preferences are stored in a Markdown list without explicit delimiters or instructions to the LLM to ignore embedded commands within the preferences.
- Capability inventory: The skill has the ability to execute local Node.js scripts, perform file read/write operations, and call agent tools like
AskUserQuestion. - Sanitization: The skill instructs the agent to 'abstract and refine' feedback rather than verbatim copying, which serves as a cognitive filter but lacks technical sanitization.
- [PROMPT_INJECTION]: The skill utilizes high-authority instructional markers and 'mandatory execution rules' (强制执行规则) to strictly define its personality and multi-stage workflow. It includes explicit 'visual bans' (视觉禁令) to prevent the agent from producing generic AI-style designs.
Audit Metadata