using-theme-variables
Pass
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: LOW
Full Analysis
- Prompt Injection (SAFE): No instructions attempting to override agent behavior or bypass safety filters were detected. The content remains focused on CSS and design system documentation.
- Data Exposure & Exfiltration (SAFE): No access to sensitive file paths (~/.ssh, .env, etc.) or network exfiltration patterns were found. JavaScript examples for accessing CSS variables are standard client-side code.
- Obfuscation (SAFE): The files consist of clear-text Markdown and CSS. No hidden Base64, zero-width characters, or homoglyphs were identified.
- Unverifiable Dependencies & Remote Code Execution (SAFE): The skill references standard Tailwind CSS imports. There are no patterns involving remote script execution via curl/wget or unauthorized package installations.
- Privilege Escalation (SAFE): No commands requiring sudo, administrative privileges, or modifications to system configurations are present.
- Persistence Mechanisms (SAFE): The skill does not attempt to modify shell profiles, cron jobs, or startup services.
- Metadata Poisoning (SAFE): Metadata fields like name and description accurately reflect the technical content and do not contain deceptive instructions.
- Indirect Prompt Injection (SAFE): While the skill involves processing CSS and HTML snippets, it does not ingest untrusted external data that could lead to capability exploitation. Its primary function is informational.
- Time-Delayed / Conditional Attacks (SAFE): No logic gating behavior based on time, environment, or usage counters was found.
- Dynamic Execution (SAFE): Examples involving JavaScript manipulation of CSS variables (setProperty) are routine web development practices and do not involve unsafe deserialization or runtime code injection.
Audit Metadata