Skills
skills/paraskakis/skills/design-api/Gen Agent Trust Hub

design-api

Warn

Audited by Gen Agent Trust Hub on May 29, 2026

Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes several shell commands to perform its core functions. This includes using curl to interact with an external API, python3 to execute an embedded script for JSON parsing, and npx to start a local web server (http-server) for API previews. It also uses system tools like lsof and kill to manage the local server process.
  • [CREDENTIALS_UNSAFE]: The skill instructions direct the agent to read the user's shell profile files (~/.zshrc or ~/.bashrc) to locate the RMOA_API_KEY. Accessing these files is a sensitive operation as they often contain private environment variables, aliases, and credentials beyond the scope of the skill's intended use.
  • [EXTERNAL_DOWNLOADS]: The generated HTML preview file downloads CSS and JavaScript assets from unpkg.com. This is a well-known content delivery network (CDN) used for hosting open-source packages.
  • [DATA_EXFILTRATION]: The skill transmits the generated OpenAPI specification to an external endpoint at api.ratemyopenapi.com. This network operation is part of the skill's documented functionality for automated linting and scoring of the design.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted markdown data (requirements, domain models, and stories) and processes it with high-privilege capabilities such as shell execution and file writing.
  • Ingestion points: Files provided by the user containing API requirements, domain descriptions, and user stories (e.g., conference-research.md, conference-domain.md).
  • Boundary markers: The skill lacks explicit delimiters or instructions to treat input content as untrusted data, increasing the risk of the agent obeying instructions embedded within the processed files.
  • Capability inventory: Shell execution (curl, python3, npx), file system access (writing JSON and HTML files), and network operations.
  • Sanitization: There is no evidence of input validation or content sanitization before the data is used to influence agent reasoning or tool parameters.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 29, 2026, 02:53 PM
Security Audit — agent-trust-hub — design-api