gsp-color
Pass
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill uses the WebFetch tool to retrieve OKLCH color scales from the tints.dev API. This is a legitimate functional requirement for generating technical color palettes from hex input.
- [DATA_EXFILTRATION]: While the skill communicates with an external API, the data shared is limited to non-sensitive hex color codes and semantic labels (e.g., primary, secondary) required for the service to return scale values.
- [PROMPT_INJECTION]: The enrichment mode in domains/system.md represents an indirect prompt injection surface because it reads and processes existing color-system.md files.
- Ingestion points: existing color-system.md files are read in domains/system.md.
- Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present when reading the files.
- Capability inventory: The skill utilizes the Write, WebFetch, and AskUserQuestion tools.
- Sanitization: No sanitization or filtering of the input file content is performed prior to extracting values, allowing potential instruction injection from externally modified files.
Audit Metadata