design-md

Pass

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: SAFEREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill uses npx to fetch and execute external packages from the NPM registry. It calls npx getdesign@latest to fetch brand-specific design systems and npx @google/design.md to perform linting and token export. While the Google package is from a trusted organization, the getdesign package is an unvetted third-party utility.
  • [EXTERNAL_DOWNLOADS]: The skill downloads design documentation files from remote sources using the getdesign utility. This is a primary feature used to populate the local design library.
  • [COMMAND_EXECUTION]: The skill runs local shell and Python scripts for operational tasks. Specifically, fetch_all_design_md.sh manages the fetching of library assets, and generate_design_md.py processes local project files to extract CSS tokens.
  • [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by ingesting untrusted CSS data from the project environment to generate design documentation.
  • Ingestion points: The generate_design_md.py script reads any CSS files found within the project path provided by the user.
  • Boundary markers: The resulting DESIGN.md file does not utilize specific boundary markers or instructions to isolate the extracted tokens from the agent's reasoning context.
  • Capability inventory: The skill can execute shell scripts, run Python logic, and initiate network requests via NPM tools.
  • Sanitization: The Python script applies regular expressions to extract specific property patterns (like hex colors or font families), which provides implicit filtering of the ingested content.
Audit Metadata
Risk Level
SAFE
Analyzed
May 19, 2026, 04:39 PM
Security Audit — agent-trust-hub — design-md