frontend-studio
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The agent is instructed to execute several shell commands, including
node,npm, andnpx. This includes running a Node.js server to host the interactive workbench using a script located atassets/serve-workbench.mjs. - [REMOTE_CODE_EXECUTION]: The skill requires the execution of an unverified Node.js script (
assets/serve-workbench.mjs) included in its assets. While this is functional for the design workbench, the code for this server was not provided for security review, making its runtime behavior unverifiable. - [EXTERNAL_DOWNLOADS]: The skill performs multiple external downloads to scaffold projects and install dependencies. It fetches packages from the npm registry (Vite, React, Tailwind, shadcn/ui, and various animation libraries) and loads fonts from Google Fonts. It also loads the
SortableJSlibrary fromjsdelivr.net. These are standard technology providers. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8). It ingests untrusted data from the user's brief and the workbench's "comment" fields. The agent is explicitly told to "respect the user's section comments as build instructions," which allows external input to influence code generation and setup commands without sanitization.
- Ingestion points: User-provided project brief and the
.mood-boards-spec.jsonfile populated by the workbench. - Boundary markers: Absent. While JSON provides structure, the values are used directly as instructions.
- Capability inventory: Shell command execution (
npm,npx,node), file system access, and dynamic code generation. - Sanitization: Not implemented. The agent is directed to follow user-provided comments as authoritative guidance.
Audit Metadata