design-system
Warn
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
Bashtool to executeplaywright-clicommands with user-provided URLs. This creates a risk of command injection if the URL parameter is not strictly validated or sanitized by the agent before being passed to the shell. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It ingests untrusted HTML and CSS from external websites and synthesizes this data into natural language design instructions in a
DESIGN.mdfile. These instructions are intended to guide future agent actions (the 'design loop'), which an attacker could manipulate by embedding malicious instructions within the source website's code. - Ingestion points: External URLs via Playwright, local HTML files, and the Google Stitch API.
- Boundary markers: None identified; external content is processed directly into semantic descriptions without delimiters.
- Capability inventory:
Bash(for browser automation),WriteandEdit(for file creation), andRead(for local file access). - Sanitization: No explicit sanitization or filtering of the ingested content is mentioned before it is interpreted into natural language.
- [EXTERNAL_DOWNLOADS]: The skill interacts with arbitrary external URLs via
playwright-cliand utilizes the@google/stitch-sdk. Interacting with untrusted websites involves downloading and processing remote content which may contain malicious code or instructions.
Audit Metadata