web-design-guidelines

[Skill Scanner] System prompt extraction attempt No malicious behavior observed in this skill definition. The functionality (fetching guidelines from a public GitHub raw URL and reading user-specified files to apply those rules) is consistent with the declared purpose. The only notable supply-chain risk is the runtime fetch of external rules: if the remote file is replaced by an attacker, the skill's behavior could be influenced. Recommend pinning the rules file to a specific commit or adding validation if strict immutability is required. LLM verification: The skill's stated purpose and workflow are coherent and align with a UI guideline review tool. However, the static analyzer flag indicating a system prompt extraction attempt in SKILL.md is suspicious and warrants closer inspection of prompt handling and disclosure logic. If the system prompt content can be accessed or exfiltrated, this could be a potential security risk. Overall, the tool appears benign in intent but requires remedial review of prompt access patterns to ensure no inadvertent l