slides
Warn
Audited by Gen Agent Trust Hub on Jun 25, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute a local Python script
search-slides.pylocated at.claude/skills/design-system/scripts/. This script is not included in the provided file list and resides in a different skill's directory, representing a dependency on external code that could be modified independently of this skill. - [EXTERNAL_DOWNLOADS]: The
html-template.mdfile includes a script tag that fetches the Chart.js library fromhttps://cdn.jsdelivr.net/npm/chart.js@4.4.1/dist/chart.umd.min.js. While this is a well-known content delivery network, it represents an external dependency loaded at runtime. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests untrusted user data via
$ARGUMENTSinreferences/create.mdand uses it to generate HTML presentations. - Ingestion points: User-provided arguments are captured in the
references/create.mdfile within a<task>tag. - Boundary markers: The skill uses
<task>tags to encapsulate the user input, which provides some context but does not prevent adversarial instructions from influencing the agent's behavior during HTML generation. - Capability inventory: The agent has the capability to execute shell commands (Python scripts) and generate files (HTML/CSS/JS).
- Sanitization: There is no evidence of input validation, escaping, or sanitization performed on the
$ARGUMENTSbefore they are processed by the agent.
Audit Metadata