color-palette
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill processes user-supplied color data to run local Python scripts, creating a surface for potential instruction manipulation.
- Ingestion points: User prompts for color inspiration and specific hex values as described in the workflow of SKILL.md.
- Boundary markers: Absent; untrusted user input is not separated from instructions by delimiters or explicit 'ignore embedded instructions' warnings.
- Capability inventory: The agent uses its shell capability to execute local scripts 'scripts/check_contrast.py' and 'scripts/generate_palette.py'.
- Sanitization: The Python scripts perform basic hex parsing which provides rudimentary validation, but the agent's instructions lack the sanitization required to safely handle potentially malicious strings interpolated into shell commands.
Audit Metadata