google-design
Pass
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill uses the npx command to download and execute the @google/design.md package. While this involves executing remote code, the package is hosted within a verified and trusted scope on the NPM registry.
- [COMMAND_EXECUTION]: The skill frequently utilizes the Bash tool to run CLI commands for linting, exporting tokens, and bootstrapping project files, providing the ability to execute shell commands within the environment.
- [EXTERNAL_DOWNLOADS]: The skill references and fetches resources from external sources, including the NPM registry and the google-labs-code/design.md GitHub repository.
- [PROMPT_INJECTION]: The skill establishes a surface for indirect prompt injection by instructing the agent to treat DESIGN.md files as persistent and authoritative design context. * Ingestion points: The AI agent reads and interprets DESIGN.md files located within the project repository. * Boundary markers: There are no explicit instructions or delimiters defined to warn the agent about potentially malicious instructions embedded in the markdown body or design tokens. * Capability inventory: The agent has access to tools such as Bash, Write, and WebFetch which could be leveraged if an injection is successful. * Sanitization: The skill does not implement or describe any sanitization or validation of the markdown content before it is ingested into the agent's context.
Audit Metadata