blueprint
Pass
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: To facilitate user review, the skill uses shell commands (
openon macOS andxdg-openon Linux) to display the generated HTML blueprints in the system's default browser. - [EXTERNAL_DOWNLOADS]: The visual blueprints reference the Mermaid.js library and the ELK layout engine from
cdn.jsdelivr.net, as well as typography fromfonts.googleapis.com. These are standard, well-known services for web development and documentation tools. - [PROMPT_INJECTION]: The skill's exploration workflow involves subagents scanning the codebase to synthesize implementation plans. As untrusted data from the codebase enters the agent context (SKILL.md, Step 1) without explicit boundary markers or sanitization, there is a surface for indirect prompt injection. Malicious instructions embedded in source code could potentially influence the generated task list or the verification commands provided in the final checklist. Users are advised to review all generated shell commands before execution.
Audit Metadata