qiaomu-design-advisor
Pass
Audited by Gen Agent Trust Hub on Jul 3, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill implements a 'Self-Evolution Protocol' that instructs the agent to abstract user feedback into reusable rules and store them in a persistent ledger file (
references/user-preferences.md). - This ledger is read at the start of every interaction, and its rules are explicitly given higher priority than the skill's core instructions.
- This creates an indirect prompt injection surface where a user (or an external source influencing user feedback) can permanently alter the agent's behavior, potentially bypassing safety constraints or forcing unauthorized actions in future sessions.
- [COMMAND_EXECUTION]: The core instructions in
SKILL.mddirect the agent to execute thenpx extract-design-system <url>command when analyzing existing websites. - This involves downloading and executing a third-party Node.js package from the npm registry at runtime.
- Executing unverifiable dependencies based on potentially untrusted input URLs represents a command execution risk within the agent's environment.
- [COMMAND_EXECUTION]: The skill automatedly generates a local HTML file (
design-preview.html) containing embedded JavaScript for user interaction. - The provided template includes scripts for clipboard access and selection logic.
- Dynamically generating and saving executable files for the user to open locally is a security risk if the generation process can be manipulated by malicious input to include harmful scripts or access local file system resources.
Audit Metadata