pix
Fail
Audited by Gen Agent Trust Hub on Feb 13, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Command Execution] (HIGH): The skill is instructed to automatically execute shell commands via
Bashbased on scripts found inpackage.jsonand port detection logic. - Evidence: Phase 0, Step 5: "If not running, start dev server in background using detected package manager and script."
- Risk: If a user opens a malicious repository, the
package.jsonscripts could contain arbitrary system commands that the skill will execute without confirmation. - [Indirect Prompt Injection] (HIGH): The skill ingests untrusted data from both the local repository and the external Figma API.
- Ingestion points: Project configuration files (
package.json,tailwind.config.*,.env*) and Figma design metadata/tokens via MCP. - Boundary markers: Absent. There are no instructions to sanitize or ignore potentially malicious instructions embedded in design tokens or file contents.
- Capability inventory:
Bash,Write,Edit,Glob, andChromecontrol. - Sanitization: Absent. Values like hex codes, typography tokens, and layer names are used to modify project files and configuration.
- [Data Exposure] (LOW): The skill proactively scans for sensitive files and environment variables to detect project settings.
- Evidence: Phase 0, Step 2: "Check for port configuration in... .env*."
- Risk: While used for legitimate discovery, this increases the risk of sensitive environment variables being leaked into the LLM's context window.
Recommendations
- AI detected serious security threats
Audit Metadata