design-team
Pass
Audited by Gen Agent Trust Hub on May 8, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its automated research capabilities.
- Ingestion points: The researcher agent (
agents/researcher.md) uses theWebFetchtool to retrieve content from external websites during competitive and audience analysis. - Boundary markers: The instructions do not specify the use of delimiters or 'ignore' instructions for the content retrieved from the web.
- Capability inventory: The design-engineer (
agents/design-engineer.md) and qa-lead (agents/qa-lead.md) agents have access to theBashtool and file system access viaWrite, which could be exploited if malicious instructions from the web are processed as authoritative. - Sanitization: There is no evidence of sanitization or filtering of external data before it is passed to other agents in the workflow.
- [EXTERNAL_DOWNLOADS]: The
SKILL.mdfile contains instructions for an optional commandnpx designteam create. This command downloads and executes a package from the NPM registry at runtime. - [COMMAND_EXECUTION]: Multiple agents within the skill are granted powerful shell access.
- The design-engineer (
agents/design-engineer.md) and qa-lead (agents/qa-lead.md) are both provided with theBashtool to implement and test code components, granting them significant access to the local execution environment. - The
SKILL.mdinstructions include a setup step requiring the user to manually copy agent and command definitions into the project's configuration directory. - [DATA_EXFILTRATION]: The
npx designteam createcommand is intended to transmit local role configurations to an external web service (designteam.app) to generate shareable links. This is a functional data transmission to the vendor's platform.
Audit Metadata