cc-design
Pass
Audited by Gen Agent Trust Hub on May 10, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
BashandNode.jsscripts to perform legitimate design tasks such as video rendering viaffmpegand PDF/PPTX export viaPlaywright. These scripts are well-documented, include input validation (e.g., inadd-sfx-to-video.sh), and are essential for the skill's visual design functionality. - [EXTERNAL_DOWNLOADS]: The skill performs version checks and fetches design system specifications from established repositories. It references the author's own GitHub (
ZeroZ-lab/cc-design) for updates and thegetdesign.mdcatalog for design tokens. These are legitimate resources for a high-fidelity design tool. - [DATA_EXFILTRATION]: No unauthorized data transmission was detected. The skill implements a 'Context Preservation' mechanism that saves design tokens (colors, font names) to a local file (
.claude/design-context.json) to prevent loss during context compression. This data remains within the local project directory and is used solely for session recovery. - [REMOTE_CODE_EXECUTION]: The skill contains an update check script (
hooks-lib/update-check.sh) that fetches a version string from GitHub. It does not execute this string or any remote scripts directly; it identifies if a newer version exists and instructs the user to update manually via the package manager.
Audit Metadata