qiaomu-design-advisor

Pass

Audited by Gen Agent Trust Hub on Jul 3, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill implements a 'Self-Evolution Protocol' that instructs the agent to abstract user feedback into reusable rules and store them in a persistent ledger file (references/user-preferences.md).
  • This ledger is read at the start of every interaction, and its rules are explicitly given higher priority than the skill's core instructions.
  • This creates an indirect prompt injection surface where a user (or an external source influencing user feedback) can permanently alter the agent's behavior, potentially bypassing safety constraints or forcing unauthorized actions in future sessions.
  • [COMMAND_EXECUTION]: The core instructions in SKILL.md direct the agent to execute the npx extract-design-system <url> command when analyzing existing websites.
  • This involves downloading and executing a third-party Node.js package from the npm registry at runtime.
  • Executing unverifiable dependencies based on potentially untrusted input URLs represents a command execution risk within the agent's environment.
  • [COMMAND_EXECUTION]: The skill automatedly generates a local HTML file (design-preview.html) containing embedded JavaScript for user interaction.
  • The provided template includes scripts for clipboard access and selection logic.
  • Dynamically generating and saving executable files for the user to open locally is a security risk if the generation process can be manipulated by malicious input to include harmful scripts or access local file system resources.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 3, 2026, 05:55 PM
Security Audit — agent-trust-hub — qiaomu-design-advisor