Skills
skills/sanxzy/skills/generate-design-md/Gen Agent Trust Hub

generate-design-md

Pass

Audited by Gen Agent Trust Hub on May 14, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes a local Node.js script (derive-palette.mjs) to generate Material 3 color tokens. The underlying source code for this script (src/derive-palette.ts) includes validation logic to ensure the input hex seed follows a strict format before processing.
  • [DATA_EXPOSURE]: The skill reads from and writes to the local filesystem within the .plans/ directory. It requires a PRD file as input and generates a design system document as output. These operations are restricted to the local workspace and intended for project documentation.
  • [INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted data from a local prd.md file to extract project context. While the instructions do not specify the use of strict boundary markers for this ingestion, the skill mitigates risks by limiting the PRD data's use to prose generation and employing validated inputs for more sensitive operations like palette derivation.
Audit Metadata
Risk Level
SAFE
Analyzed
May 14, 2026, 02:54 PM
Security Audit — agent-trust-hub — generate-design-md