Skills
skills/fusengine/agents/designing-systems/Gen Agent Trust Hub

designing-systems

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • PROMPT_INJECTION (HIGH): The skill is highly susceptible to Indirect Prompt Injection. It is instructed to ingest existing codebase content (CSS, variables, and Tailwind configs) which are attacker-controllable and can contain malicious instructions. \n
  • Ingestion points: The workflow utilizes fuse-ai-pilot:explore-codebase to read existing styles and configuration files into the agent context. \n
  • Boundary markers: Absent. There are no instructions for the agent to treat local file content as data rather than instructions. \n
  • Capability inventory: The skill is granted Write, Edit, and Task tools, allowing it to modify the filesystem and execute system commands based on ingested content. \n
  • Sanitization: None. The skill operates on raw data read from the local environment. \n- COMMAND_EXECUTION (MEDIUM): The skill explicitly permits the Task tool in its allowed-tools metadata. This capability allows the agent to execute arbitrary shell commands on the host system. \n- REMOTE_CODE_EXECUTION (LOW): The skill fetches remote CSS resources via @import rules from api.fontshare.com in references/typography.md. This constitutes an external dependency that is fetched and processed at runtime.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 12:33 PM