Skills
skills/yonatangross/orchestkit/design-import/Gen Agent Trust Hub

design-import

Pass

Audited by Gen Agent Trust Hub on May 4, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from external handoff bundles (via URLs or local files) and interpolates this content into prompts for sub-agents.\n
  • Ingestion points: Data enters the system via the bundle_input argument. The skill extracts and reads content from the archive, including README.md, chats/*.md, and project/*.html.\n
  • Boundary markers: The Phase 4 prompt uses markdown code blocks (```tsx) to wrap the external tsx_scaffold content. This is a weak boundary that an attacker can easily escape with a closing code block and new instructions.\n
  • Capability inventory: The skill utilizes powerful tools including Write, Edit, Bash, and Agent, allowing it to modify project source code and configuration files based on instructions interpreted from external data.\n
  • Sanitization: There is no evidence of sanitization, filtering, or validation of the HTML or Markdown content before it is passed to the sub-agents.\n- [COMMAND_EXECUTION]: The skill uses the Bash tool to perform archive extraction using the tar -xzf command on files downloaded from external URLs. This presents a risk if the archive is maliciously crafted to exploit the extraction utility (e.g., path traversal via symlinks or zip-bomb attacks).
Audit Metadata
Risk Level
SAFE
Analyzed
May 4, 2026, 05:09 PM