design-intent-specialist
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill maintains a significant attack surface for indirect prompt injection via visual reference processing. 1. Ingestion points: External Figma URLs and screenshot attachments as specified in SKILL.md and WORKFLOW.md. 2. Boundary markers: Absent; the instructions do not include delimiters or specific guidance to ignore malicious instructions embedded within design files. 3. Capability inventory: The skill generates executable React/TypeScript code, interacts with MCP servers, and modifies the local file system (e.g., /design-intent/patterns/). 4. Sanitization: Absent; no evidence of filtering or validation for content extracted from visual references.
- [EXTERNAL_DOWNLOADS] (LOW): The skill references third-party MCP servers for design extraction and framework guidance. Evidence: Recommends @anthropic/mcp-server-figma-dev-mode and @anthropic/mcp-server-fluent-pilot (TROUBLESHOOTING.md). Trust Status: Downgraded to LOW per [TRUST-SCOPE-RULE] as the packages are from the trusted @anthropic organization.
- [REMOTE_CODE_EXECUTION] (LOW): Encourages the execution of remote packages via npx for MCP setup. Evidence: npx -y @anthropic/mcp-server-figma-dev-mode. Trust Status: Downgraded to LOW due to trusted source status.
- [COMMAND_EXECUTION] (LOW): Utilizes commands for project setup (/setup) and pattern management (/save-patterns) which are expected for its development workflow.
Recommendations
- AI detected serious security threats
Audit Metadata