design-builder
Pass
Audited by Gen Agent Trust Hub on May 10, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection (Category 8) because its primary function involves extracting content and design tokens from untrusted external sources.
- Ingestion points: Data is ingested from external URLs, web captures, screenshots, and documents (PDF/DOCX) within the
copy.md,inputs.md, andredesign.mdreference files. - Boundary markers: The skill includes explicit instructions for the agent to discard directives, prompts, or behavioral suggestions found in the source material (e.g., HTML comments, script tags, embedded text).
- Capability inventory: The skill has the ability to write files to the local project root (
DESIGN.md), execute local shell commands to run a preview server, and perform network requests to fetch content. - Sanitization: No programmatic sanitization or filtering is performed on the extracted content; the skill relies entirely on the agent's instruction-following to ignore embedded directives.
- [COMMAND_EXECUTION]: The skill instructs the agent to execute a local server using the Bun runtime to facilitate design previews and interaction recording.
- The execution command is
bun run scripts/preview-server.tswith various flags for session paths and ports. - The
preview-server.tsscript is included in the skill'sscripts/directory and contains logic to serve HTML fragments and record events to a local file. - The server binds only to
127.0.0.1and includes path traversal validation to ensure it only serves files from the designated session directory.
Audit Metadata