moai-workflow-design
Pass
Audited by Gen Agent Trust Hub on Jun 30, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill incorporates a mandatory security scan for imported design bundles (Path A), which includes validating magic bytes and checking for malicious patterns like path traversal (
../), symbolic links, and executable files before extraction. - [SAFE]: SVG asset handling includes specific instructions to strip script tags, mitigating potential Cross-Site Scripting (XSS) risks associated with vector graphics metadata.
- [SAFE]: The skill explicitly prohibits hardcoded API tokens for Figma integration (Path B1), mandating the use of environment variable references (e.g.,
FIGMA_TOKEN) to ensure secure credential management. - [SAFE]: Operations are restricted to a defined set of "reserved output paths" within the
.moai/design/directory, preventing accidental or malicious modification of external project files.
Audit Metadata