Design to Code
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (MEDIUM): The skill is susceptible to Indirect Prompt Injection from untrusted design files.
- Ingestion points: Design data is ingested via
mcp__pencil__batch_getandmcp__pencil__get_variablestool calls that read external.penfiles. - Boundary markers: Absent. The instructions do not define delimiters or provide guidance to the agent to ignore or separate natural language instructions embedded within the design properties (e.g., text content).
- Capability inventory: The skill is designed to generate executable React/TSX code. If the AI agent has permissions to modify or create files in the workspace, a maliciously crafted design file could trick the agent into writing backdoors or exfiltration scripts into the codebase.
- Sanitization: Absent. The skill provides mapping tables for styling but does not include logic for sanitizing or validating text content from the design before it is interpolated into component templates.
Audit Metadata