design-system
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Potential for indirect prompt injection through the ingestion of untrusted web content. \n
- Ingestion points: The skill navigates to and processes content from user-provided URLs in Step 1 and Step 11. \n
- Boundary markers: No specific delimiters or safety instructions (e.g., "ignore embedded instructions") are used when the agent aggregates extracted site data into design-tokens.md. \n
- Capability inventory: The skill can write files to the local filesystem (CSS, TypeScript, and Markdown files), capture screenshots, and execute JavaScript in the browser context. \n
- Sanitization: Extraction logic uses basic string truncation for performance and length limits but does not sanitize text content for potential malicious instructions embedded in HTML metadata, alt text, or component labels. \n- [COMMAND_EXECUTION]: The skill uses browser automation tools (agent-browser or Playwright) to execute JavaScript snippets (Steps 2-9) for DOM inspection and style extraction. While these scripts are powerful, they are provided as static templates within the skill and are scoped to the browser's sandbox environment, consistent with the primary purpose of the skill.
Audit Metadata