design-md
Pass
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches and executes the @google/design.md utility from the official NPM registry using npx. This package is the authoritative tool for the design specification and is maintained by a trusted organization.
- [COMMAND_EXECUTION]: Executes shell commands for linting, diffing, and exporting design tokens. All commands are scoped to the intended functionality of the skill and operate on design-related files within the workspace.
- [DATA_EXPOSURE]: Processes design specification files and brand metadata. No access to sensitive user data, system configurations, or credentials was detected.
- [PROMPT_INJECTION]: Evaluation of indirect prompt injection risk. Ingestion points: processes existing DESIGN.md files and user brand descriptions. Boundary markers: the specification's structured YAML and Markdown sections provide inherent formatting boundaries. Capability inventory: includes file writing and CLI execution. Sanitization: the skill relies on the official CLI tool to validate schema integrity and structural correctness, mitigating potential injection risks.
Audit Metadata