style-creator
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is vulnerable to command injection because it constructs shell commands using unvalidated user input. If a user provides a style ID or prompt text containing shell metacharacters (e.g.,
;,&&,|), the agent may execute arbitrary system commands. - Evidence:
bun run ${CLAUDE_PLUGIN_ROOT}/skills/browsing-styles/scripts/generate_tiles.ts --style <style-id>in SKILL.md. - Evidence:
sips -s format png -s formatOptions best ${CLAUDE_PLUGIN_ROOT}/.../<style-id>.png --out ...in SKILL.md. - [PROMPT_INJECTION]: The skill has a significant surface for indirect prompt injection as it ingests untrusted user data and uses it to drive automated workflows, including file system writes and command execution, without sanitization.
- Ingestion points: Style Name, ID, and prompts gathered from the user in Step 1 of SKILL.md.
- Boundary markers: Absent; user input is directly interpolated into file templates and shell strings.
- Capability inventory: Subprocess execution (bun, sips) and file system write access to root-level files (README.md, STYLES.md, plugin.json).
- Sanitization: No validation or escaping is applied to user-provided strings before processing.
- [COMMAND_EXECUTION]: Step 7 of the workflow involves executing an inline JavaScript script via
bun -e. This script reads fromstyles.json, which contains data previously provided by the user. Malicious content within the JSON could potentially interfere with the logic of this script or lead to the generation of corrupted documentation files.
Audit Metadata