brand
Pass
Audited by Gen Agent Trust Hub on Jun 25, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script "scripts/sync-brand-to-tokens.cjs" executes a local file using "child_process.execFileSync". It specifically targets ".claude/skills/design-system/scripts/generate-tokens.cjs", creating an execution dependency on a separate skill's content.
- [PROMPT_INJECTION]: The skill implements a mechanism in "scripts/inject-brand-context.cjs" to feed content from "docs/brand-guidelines.md" into the AI's prompt. This constitutes an indirect prompt injection attack surface.
- Ingestion points: The script reads from "docs/brand-guidelines.md" or any path provided as a command-line argument.
- Boundary markers: The output lacks delimiters (e.g., XML tags or clear markers) and specific instructions for the agent to treat the ingested data as data only, increasing the risk that the AI may interpret text within the guidelines as commands.
- Capability inventory: The skill includes scripts capable of file system modification and local command execution.
- Sanitization: While the script uses regular expressions to extract specific structured data like hex codes, it also extracts free-form text for "personality" and "mood" with no sanitization, which could be exploited to override agent instructions if the source file is modified by an untrusted party.
Audit Metadata