logo-designer
Pass
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes git commands to ensure the local environment is synchronized with the remote repository before performing file operations.
- Evidence: SKILL.md contains a 'Repo Sync Before Edits' section that runs
git rev-parse,git fetch,git pull, andgit stashcommands. - [COMMAND_EXECUTION]: The skill instructs the agent to use the system's
opencommand to display the generated HTML showcase to the user. - Evidence: references/brand-showcase.md specifies the command
open /path/to/brand-showcase.html(for macOS) or an equivalent command for other operating systems. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests data from external, potentially attacker-controlled project files to guide its execution and generate output.
- Ingestion points: agents/brand-researcher.md reads content from metadata files like
README.md,package.json,pyproject.toml,Cargo.toml,go.mod, andpubspec.yaml, as well as documentation files likebrand_kit.mdandprd.md. - Boundary markers: The skill does not implement boundary markers or instructions for the agent to ignore embedded commands or malicious instructions within the files it reads.
- Capability inventory: The skill has file-writing capabilities (generating 7 SVGs and an HTML file) and shell execution capabilities (git and open commands).
- Sanitization: The skill does not perform sanitization on extracted metadata (such as the product name or description) before incorporating it into the brand brief or the final HTML showcase, which could lead to cross-site scripting (XSS) when the file is opened in a browser.
Audit Metadata