skills/tw93/claude-health/design/Gen Agent Trust Hub

design

Warn

Audited by Gen Agent Trust Hub on May 15, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill contains instructions to suggest and execute the command npx getdesign@latest add <brand>, which downloads and runs external code from the NPM registry. This represents a remote code execution vector for unverified third-party scripts.
  • [COMMAND_EXECUTION]: Instructs the agent to utilize shell commands like grep to search for component definitions in the local file system. It also reads durable context and design tokens from user-provided file paths and repository source code.
  • [EXTERNAL_DOWNLOADS]: Fetches design presets via the NPM registry and is designed to retrieve and process text content from external URLs provided by the user.
  • [PROMPT_INJECTION]: Includes specific instructions to override the agent's standard response format, such as prefixing outputs with an emoji and strictly banning the use of em-dashes (—).
  • [PROMPT_INJECTION]: The skill ingests untrusted data from repository URLs and user-pasted source code, creating a surface for indirect prompt injection where malicious instructions could be embedded in comments or text.
  • Ingestion points: Repository source files (e.g., theme.ts, colors.ts), user-provided URLs, and local memory paths.
  • Boundary markers: No specific delimiters or warnings are established to distinguish ingested data from system instructions.
  • Capability inventory: The agent has capabilities to read local files, execute shell commands, and perform remote code execution via npx.
  • Sanitization: There are no instructions for sanitizing, validating, or escaping content retrieved from untrusted external sources or files.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 15, 2026, 08:50 PM
Security Audit — agent-trust-hub — design