design-playground
Pass
Audited by Gen Agent Trust Hub on Apr 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads project templates and libraries (Leva, Motion, Tailwind CSS) from the NPM registry. It also fetches content from external URLs, such as CodePen or social media, to analyze design techniques as requested by the user.- [COMMAND_EXECUTION]: It executes shell commands to initialize Vite projects, install Node.js dependencies, and run a local development server (
npm run dev) to host the interactive playgrounds.- [PROMPT_INJECTION]: The skill processes untrusted data from external URLs to extract CSS properties and animation values. This constitutes an indirect prompt injection surface, although the risk is minimal given the specialized nature of the processing and the development-focused context. - [Ingestion points]: External URLs (via WebFetch or Firecrawl) provided in the 'Step 1 — Understand the Experiment' phase.
- [Boundary markers]: None explicitly defined for the fetched external content.
- [Capability inventory]: Filesystem writes, package installation (
npm install), and starting local servers (npm run dev). - [Sanitization]: No explicit sanitization or validation of the fetched design source is mentioned.
Audit Metadata