skills/ninehills/skills/design/Gen Agent Trust Hub

design

Warn

Audited by Gen Agent Trust Hub on May 17, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill instructs the agent to offer or execute npx getdesign@latest add <brand> to retrieve design presets from the VoltAgent/awesome-design-md repository. Executing unversioned code from an untrusted third-party source poses a supply chain risk, although the skill includes a mitigation requiring explicit user approval before execution.\n- [COMMAND_EXECUTION]: The skill uses shell commands like grep to find specific component names or classes within the local file system. This capability allows the agent to interact directly with the host environment's shell.\n- [DATA_EXFILTRATION]: The skill is designed to read and analyze local source files (e.g., theme.ts, colors.ts, tokens.css) and process user-provided screenshots. While these operations are necessary for design analysis, they involve accessing sensitive project data that could potentially be exposed if the agent is compromised.\n- [PROMPT_INJECTION]: The skill processes untrusted external data, creating an attack surface for indirect prompt injection.\n
  • Ingestion points: Reads local source code files and processes user-supplied screenshots/images in 'Screenshot Iteration Mode' (file: SKILL.md).\n
  • Boundary markers: Absent. The instructions do not specify any delimiters or warnings to ignore instructions embedded within the processed code or image metadata.\n
  • Capability inventory: The agent can execute shell commands (grep), run remote Node.js packages (npx), and modify local source files (file: SKILL.md, references/design-reference.md).\n
  • Sanitization: Absent. No validation or sanitization steps are defined for the data ingested from the external repository or screenshots.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 17, 2026, 01:00 PM
Security Audit — agent-trust-hub — design