design-mirror
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill ingests untrusted HTML content from external websites via 'scripts/scrape_html.sh' (saving to '/tmp/target_page.html'). While the skill's instructions attempt to limit the agent's focus to design tokens, the lack of boundary markers or sanitization of the scraped content combined with the agent's capability to modify the user's codebase (e.g., updating 'tailwind.config.js' or 'globals.css') creates a surface for indirect prompt injection. A malicious website could embed instructions designed to manipulate the agent's code-generation logic.
- [COMMAND_EXECUTION]: The provided bash scripts ('scripts/scrape_html.sh' and 'scripts/screenshot.sh') utilize the 'curl -k' flag, which disables SSL certificate verification. This is a security best-practice violation that could expose the 'BRIGHTDATA_API_KEY' to man-in-the-middle attacks if the network path is compromised.
- [COMMAND_EXECUTION]: The helper scripts do not properly escape the URL input when constructing the JSON payload for the 'curl' command. This allows for potential JSON injection into the API request sent to Bright Data, where an attacker-controlled URL could attempt to manipulate other parameters in the vendor API request.
Audit Metadata