moai-workflow-design

Pass

Audited by Gen Agent Trust Hub on Jun 30, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: The skill incorporates a mandatory security scan for imported design bundles (Path A), which includes validating magic bytes and checking for malicious patterns like path traversal (../), symbolic links, and executable files before extraction.
  • [SAFE]: SVG asset handling includes specific instructions to strip script tags, mitigating potential Cross-Site Scripting (XSS) risks associated with vector graphics metadata.
  • [SAFE]: The skill explicitly prohibits hardcoded API tokens for Figma integration (Path B1), mandating the use of environment variable references (e.g., FIGMA_TOKEN) to ensure secure credential management.
  • [SAFE]: Operations are restricted to a defined set of "reserved output paths" within the .moai/design/ directory, preventing accidental or malicious modification of external project files.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 30, 2026, 05:12 AM
Security Audit — agent-trust-hub — moai-workflow-design