canvas-design
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection.
- Ingestion points: It ingests 'user's subtle inputs or instructions' and references to 'movie/game/book related content' to influence design (SKILL.md).
- Boundary markers: Absent. There are no instructions to delimit user input or ignore embedded commands within the 'subtle references'.
- Capability inventory: File system search (
./canvas-fonts), network downloading ('Download... any fonts'), and binary file creation (.pdf, .png). - Sanitization: Absent. The agent is explicitly told to 'Embrace ultimate design freedom and choice' and follow 'instinct/intuition', which removes constraints against adversarial steering.
- EXTERNAL_DOWNLOADS (HIGH): The instruction to 'Download and use any fonts needed to make this happen' encourages the agent to fetch external binary resources from unverified, user-influenced, or arbitrary sources, bypassing typical safety sandboxing for network resources.
- REMOTE_CODE_EXECUTION (MEDIUM): In conjunction with the download directive, processing untrusted font files is a significant security risk. Maliciously crafted font files can exploit vulnerabilities in font-parsing libraries (e.g., FreeType, HarfBuzz) to achieve code execution or memory corruption within the agent's environment.
- COMMAND_EXECUTION (LOW): The skill requires the agent to 'Search ./canvas-fonts directory', necessitating local filesystem access and traversal capabilities to locate assets.
Recommendations
- AI detected serious security threats
Audit Metadata