design-ui
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection via the
design-researchersub-agent. - Ingestion points: External web content gathered during the research phase (
references/agent-quality-gates.md). - Boundary markers: None explicitly defined in the provided instruction files.
- Capability inventory: Sub-agents have access to
Bash,Write,Edit, andReadtools (references/self-improving-agent-spec.md). - Sanitization: The skill implements a 'Reviewer' and seven specialized 'Critics' that validate output against objective metrics (WCAG compliance, 8pt grid adherence) before finalization, which serves as a significant mitigation layer.
- [COMMAND_EXECUTION]: The
design-generatoragent is configured with high-privilege tools, includingBash(references/self-improving-agent-spec.md). This is a standard capability for agents managing code assets but provides a broad surface for command execution if the agent is influenced by malicious input. - [DATA_EXPOSURE]: The learning system persists data across sessions by writing to
~/.design-system/learning.json(references/learning-system.md). While common for configuration and state management, this involves accessing the user's home directory for persistence.
Audit Metadata