The Agent Skills Directory

[COMMAND_EXECUTION]: The skill documentation in references/design-md-format.md describes the use of npx to run commands such as design-md lint and design-md export. This provides a pattern for executing shell commands via the Bash tool.
[REMOTE_CODE_EXECUTION]: The instruction to use npx design-md constitutes a remote code execution risk. The package is claimed to be a 'Google Labs' tool, yet no such official utility exists in public registries from that provider, making the package a potential target for supply chain attacks or typosquatting.
[EXTERNAL_DOWNLOADS]: The npx utility triggers the download of code from the npm registry at runtime. While the skill also mentions well-known packages like framer-motion and react-window, the inclusion of the unverified design-md utility is a concern.
[PROMPT_INJECTION]: The workflow in SKILL.md requires the agent to read and parse a DESIGN.md file from the project root, using its contents as the 'source of truth' for implementation. This ingestion of untrusted data from the user's environment represents an indirect prompt injection surface.
Ingestion points: DESIGN.md file in the project root directory.
Boundary markers: No delimiters or warnings are specified to prevent the agent from obeying instructions embedded within the design token values.
Capability inventory: The agent has access to powerful tools including Bash, Write, Edit, and WebFetch, which could be misused if the agent is compromised by malicious content in the design file.
Sanitization: There is no evidence of sanitization or strict schema validation for the token data before it is used to generate code or influence agent behavior.

frontend-design