Skills
skills/cambly/syntax/syntax-design-system/Gen Agent Trust Hub

syntax-design-system

Warn

Audited by Gen Agent Trust Hub on Feb 13, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis

The skill syntax-design-system is provided as a markdown file, serving as a guide for using React components from Cambly's Syntax design system. The content is primarily instructional and descriptive, outlining core principles, component usage, and best practices.

Threat Category: Unverifiable Dependencies / External Downloads

  • The skill includes an npm install command (Line 29) instructing the installation of several packages: @cambly/syntax-core, @cambly/syntax-design-tokens, @cambly/syntax-icons, and @cambly/syntax-floating-components.
  • The @cambly/ organization is not present in the list of trusted GitHub organizations or specific repositories. Therefore, these dependencies are considered unverifiable at analysis time.
  • Severity: MEDIUM. While the skill itself is a descriptive guide, the instruction to install packages from an unverified source poses a risk if an AI agent (or a user following the instructions) were to execute this command. The risk lies in the potential for malicious code within these external packages.

Threat Category: Command Execution

  • The npm install command (Line 29) is a shell command. If an AI agent is configured to execute code blocks found within markdown instructions, this would constitute command execution.
  • Severity: MEDIUM. The command itself is for package installation, not arbitrary command execution, but it does involve executing external code (the package installation scripts) from an unverified source.

Other Threat Categories:

  • Prompt Injection: No patterns indicative of prompt injection were found.
  • Data Exfiltration: No commands or code snippets were found that attempt to read sensitive files or perform network requests to non-whitelisted domains for data exfiltration.
  • Obfuscation: No obfuscation techniques (Base64, zero-width characters, homoglyphs, URL/hex/HTML encoding) were detected.
  • Privilege Escalation: No sudo, chmod, or other privilege escalation commands were found.
  • Persistence Mechanisms: No attempts to establish persistence (e.g., modifying shell profiles, cron jobs) were detected.
  • Metadata Poisoning: The skill's name and description metadata are benign.
  • Indirect Prompt Injection: The skill is a guide and does not process external, untrusted content in a way that would lead to indirect prompt injection.
  • Time-Delayed / Conditional Attacks: No conditional logic based on dates, times, or other triggers for delayed attacks was found.

Conclusion: The primary concern is the instruction to install npm packages from an unverified source. While the skill is a descriptive guide, the presence of an executable npm install command means that if an AI agent were to execute this instruction, it would be downloading and running code from a source that has not been explicitly vetted as trusted. This leads to a MEDIUM verdict due to the unverifiable external dependencies and potential command execution.

Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 13, 2026, 12:19 AM