qiaomu-design

Pass

Audited by Gen Agent Trust Hub on Jul 7, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill provides utility scripts (scripts/qiaomu-design-preview-server.mjs and scripts/qiaomu-design-watch-selection.mjs) to enable an interactive design workflow. The preview server script initiates a local HTTP server on 127.0.0.1 and utilizes child_process.spawn to launch the user's default browser. The code includes safety checks, such as verifying that requested file paths are within the designated root directory to prevent path traversal.
  • [PROMPT_INJECTION]: The skill implements a 'Self-Evolution Protocol' described in SKILL.md that reads from and writes to references/user-preferences.md. This creates a vulnerability surface for indirect prompt injection where user feedback is incorporated into the agent's future instruction context.
  • Ingestion points: Feedback is persisted in references/user-preferences.md and read by the agent before every task.
  • Boundary markers: The preferences are stored in a Markdown list without explicit delimiters or instructions to the LLM to ignore embedded commands within the preferences.
  • Capability inventory: The skill has the ability to execute local Node.js scripts, perform file read/write operations, and call agent tools like AskUserQuestion.
  • Sanitization: The skill instructs the agent to 'abstract and refine' feedback rather than verbatim copying, which serves as a cognitive filter but lacks technical sanitization.
  • [PROMPT_INJECTION]: The skill utilizes high-authority instructional markers and 'mandatory execution rules' (强制执行规则) to strictly define its personality and multi-stage workflow. It includes explicit 'visual bans' (视觉禁令) to prevent the agent from producing generic AI-style designs.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 7, 2026, 02:06 AM
Security Audit — agent-trust-hub — qiaomu-design