Skills
skills/nyldn/claude-octopus/octopus-ui-ux-design/Gen Agent Trust Hub

octopus-ui-ux-design

Fail

Audited by Gen Agent Trust Hub on May 9, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: Direct interpolation of user-supplied input into shell commands creates a high-risk command injection vulnerability.\n
  • Ingestion points: User-provided product descriptions, aesthetics, and requirements from AskUserQuestion and Phase 1 searches.\n
  • Boundary markers: Input is wrapped in double quotes (e.g., "<user's product description>") within shell command strings in SKILL.md. Double quotes in shell environments allow command substitution (e.g., using backticks or $()).\n
  • Capability inventory: The skill utilizes python3, bash, codex exec, and the gemini CLI.\n
  • Sanitization: There is no evidence of input validation or shell-escaping to prevent malicious metacharacters from being interpreted by the shell.\n- [PROMPT_INJECTION]: The skill contains payloads designed to override agent logic and sub-agent instructions.\n
  • Evidence: Step 5b in SKILL.md explicitly uses directives like "take precedence over all skill directives" and "Skip ALL skills" when dispatching tasks to sub-agents via codex exec.\n- [EXTERNAL_DOWNLOADS]: The skill facilitates the execution of code from external repositories.\n
  • Evidence: Instructions in SKILL.md (Step 3) direct the agent to perform a git submodule update --init for the ui-ux-pro-max-skill repository if files are missing, introducing potential supply chain risks.\n- [DATA_EXFILTRATION]: The presence of a command injection surface combined with network-capable tools (like the gemini CLI and standard shell utilities) allows for the exfiltration of sensitive local data.\n
  • Evidence: An attacker could use the unvalidated input fields to read sensitive files (e.g., .ssh/id_rsa, .env) and transmit them using the available network-enabled CLI tools.\n- [REMOTE_CODE_EXECUTION]: The use of the gemini CLI with --approval-mode yolo allows the execution of remote model-generated outputs without human-in-the-loop verification, which could be exploited if the model is manipulated via the indirect injection path identified in the design critique phase.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 9, 2026, 06:35 AM