design-generator
Warn
Audited by Gen Agent Trust Hub on Jun 24, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill relies on
npx musubixacross its primary workflows. This command downloads and executes a package from the public npm registry at runtime. Because the package is not version-pinned and the source is not a recognized trusted vendor, this introduces a risk of supply chain compromise where the executed logic could be changed without notice. - [EXTERNAL_DOWNLOADS]: The skill initiates downloads from the npm registry during execution to fetch the required CLI tools. While the registry itself is a well-known service, the packages being fetched are not verified dependencies.
- [COMMAND_EXECUTION]: All provided shell scripts (
generate.sh,c4.sh,verify.sh,decision.sh) pass command-line arguments directly to the underlying tool using the"$@"pattern. This can lead to argument injection if user-provided input is passed to these scripts without prior validation. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests and processes requirement documents. 1. Ingestion points: Requirement files located in
storage/specs/REQ-*.md. 2. Boundary markers: Absent; there are no instructions to the agent to ignore instructions embedded within these data files. 3. Capability inventory: The skill can execute shell commands via scripts in thescripts/directory. 4. Sanitization: There is no evidence of sanitization or content validation for the requirements data before it is processed by the agent.
Audit Metadata