Document design
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill has a high-risk capability tier because it reads untrusted data from local files and incorporates it into a workflow involving file writing and command execution.\n
- Ingestion points: Brand configuration is read from
.claude/pdf-playground.local.mdand user prompts define document content.\n - Boundary markers: Absent. The skill does not provide delimiters or instructions to ignore embedded commands within the ingested data.\n
- Capability inventory: The skill can write HTML files to the working directory and execute shell commands (
chromium-browser) or use browser automation tools (Playwright) to render content.\n - Sanitization: Absent. Data from configuration files is directly interpolated into CSS and HTML components without escaping or validation.\n- Dynamic Execution (MEDIUM): The skill dynamically generates HTML and CSS code at runtime based on external input and then renders this code using a headless browser. This runtime execution of generated content creates a surface for cross-site scripting (XSS) or file disclosure within the browser context.\n- Unverifiable Dependencies & Remote Code Execution (MEDIUM): The
references/css-patterns.mdfile provides a specific bash script for generating PDFs usingchromium-browser. Instructing the agent to execute shell commands using dynamically assembled paths and content significantly elevates the impact of any successful injection.
Recommendations
- AI detected serious security threats
Audit Metadata