psd-brand-guidelines
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill possesses a high-risk vulnerability surface by combining the processing of untrusted external content with high-privilege tool access.
- Ingestion points: The skill is designed to process user-provided 'artifacts' (presentations, documents, graphics) and prompts to apply branding (SKILL.md).
- Boundary markers: No explicit boundary markers or delimiters for untrusted data are defined in the instructions to prevent the agent from obeying instructions embedded within the materials being branded.
- Capability inventory: The skill is granted 'allowed-tools: Read, Write, Edit, Bash', allowing for arbitrary file modification and shell command execution (SKILL.md).
- Sanitization: While the skill mentions a validation utility (
brand.py validate), it relies on programmatic checks that may be bypassed by sophisticated adversarial injections in the input content. - [Command Execution] (MEDIUM): The skill instructions rely heavily on the
Bashtool to execute local Python utilities (brand.py,generate.py) usinguv run. If these scripts do not rigorously sanitize inputs passed from the agent (which are derived from user prompts), it could lead to command injection or unauthorized file access.
Recommendations
- AI detected serious security threats
Audit Metadata