ui-ux-pro-max
Fail
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PRIVILEGE_ESCALATION]: The skill instructions require the agent to execute
sudo apt update && sudo apt install python3on Debian-based systems. This involves acquiring root privileges to modify the system state and install external software.\n- [COMMAND_EXECUTION]: The skill relies on multiple shell commands includingpython3,brew install, andwinget install. These commands are used to prepare the environment and run the core design intelligence script.\n- [INDIRECT_PROMPT_INJECTION]: The skill workflow is vulnerable to indirect prompt injection because it instructs the agent to pass raw, untrusted user queries directly as arguments to thesearch.pyscript without robust boundary markers or sanitization guidelines.\n - Ingestion points: Product types, industry names, and keywords provided by the user in natural language (e.g.,
"<product_type> <industry> <keywords>").\n - Boundary markers: None identified; although input is double-quoted in the example instructions, there are no mandates for the agent to sanitize the content or handle shell-breaking characters like semicolons or backticks.\n
- Capability inventory: The agent is directed to write files to the disk (
design-system/MASTER.md) and execute Python scripts that process this input.\n - Sanitization: There are no verification steps, escaping protocols, or validation rules mentioned for the user-supplied strings before they are interpolated into the shell command.\n- [DYNAMIC_EXECUTION]: The core functionality of the skill is dependent on executing a local Python script (
scripts/search.py) located within the skill's own directory structure.
Recommendations
- AI detected serious security threats
Audit Metadata