design-state
Pass
Audited by Gen Agent Trust Hub on May 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill facilitates Indirect Prompt Injection by design. It requires agents to read a shared document (
design-state.md) containing content written by other agents and potentially influenced by user input. - Ingestion points: The
design-state.mdfile is the primary ingestion point, specifically the 'Handoff Chain' and 'Decisions Log' sections which contain free-text descriptions. - Boundary markers: The skill uses standard Markdown formatting (headers and blockquotes) for the shared file, but does not provide instructions to the agents to treat the ingested data as untrusted or to ignore any instructions embedded within it.
- Capability inventory: This skill interacts with the file system. It is part of a larger system where other agents, such as
design-builder, likely possess capabilities for code generation, file modification, or execution. - Sanitization: There are no mechanisms described for sanitizing or validating the text appended to the state file before it is processed by the next agent in the chain.
- [COMMAND_EXECUTION]: While this skill itself focuses on file maintenance, it coordinates a multi-agent system where subsequent agents are expected to act on the data retrieved from the state file, creating a risk if the retrieved data contains malicious commands disguised as design decisions.
Audit Metadata