design
Warn
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill contains instructions to suggest and execute the command
npx getdesign@latest add <brand>, which downloads and runs external code from the NPM registry. This represents a remote code execution vector for unverified third-party scripts. - [COMMAND_EXECUTION]: Instructs the agent to utilize shell commands like
grepto search for component definitions in the local file system. It also reads durable context and design tokens from user-provided file paths and repository source code. - [EXTERNAL_DOWNLOADS]: Fetches design presets via the NPM registry and is designed to retrieve and process text content from external URLs provided by the user.
- [PROMPT_INJECTION]: Includes specific instructions to override the agent's standard response format, such as prefixing outputs with an emoji and strictly banning the use of em-dashes (—).
- [PROMPT_INJECTION]: The skill ingests untrusted data from repository URLs and user-pasted source code, creating a surface for indirect prompt injection where malicious instructions could be embedded in comments or text.
- Ingestion points: Repository source files (e.g.,
theme.ts,colors.ts), user-provided URLs, and local memory paths. - Boundary markers: No specific delimiters or warnings are established to distinguish ingested data from system instructions.
- Capability inventory: The agent has capabilities to read local files, execute shell commands, and perform remote code execution via
npx. - Sanitization: There are no instructions for sanitizing, validating, or escaping content retrieved from untrusted external sources or files.
Audit Metadata