placeholder-images
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by incorporating external data into generated files.
- Ingestion points: Processes user-provided labels and extracts design tokens from local CSS files (e.g.,
src/styles/main.css). - Boundary markers: Commands do not specify delimiters or instructions to ignore embedded content in labels or CSS.
- Capability inventory: Utilizes
Bashto run a Node.js script andWriteto save the resulting SVG files to the filesystem. - Sanitization: Presence of sanitization for SVG tags or shell characters in labels is unverified.\n- [COMMAND_EXECUTION]: Executes a local Node.js utility script (
scripts/quality/generate-placeholder.js) to perform image generation tasks. This is a vendor-internal script associated with the skill's primary functionality.
Audit Metadata