moai-workflow-design-import
Warn
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill implements a dynamic execution pattern through its Path B1 and Path B2 workflows. It orchestrates the creation of new executable skill files (e.g.,
my-harness-figma-extractor) via a meta-harness skill. These generated skills are then loaded and executed within the agent environment. - [PROMPT_INJECTION]: The skill processes untrusted external data (Path A) in the form of ZIP bundles and HTML files, creating a surface for indirect prompt injection.
- Ingestion points: Files provided via user-specified paths, specifically ZIP and HTML design bundles.
- Boundary markers: Relies on magic byte verification and a version whitelist defined in
.moai/config/sections/design.yaml. - Capability inventory: The skill has access to powerful tools including
Bash,Write, andEdit, which could be abused if malicious instructions are successfully injected via the design tokens or manifest files. - Sanitization: The skill implements a dedicated 'Security scan' step (Step 4) that explicitly rejects bundles containing executable extensions (
.sh,.exe, etc.), symbolic links, or path traversal sequences (../). It also validates MIME types for assets and strips script tags from SVG metadata.
Audit Metadata