ui-ux-pro-max
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill is designed to ingest and process untrusted external data such as website URLs, code repositories, and Figma links, creating a surface for indirect prompt injection.
- Ingestion points: Processes screenshots, Figma links, URLs, and repositories (defined in
SKILL.md). - Boundary markers: No explicit delimiters or instructions (e.g., 'ignore instructions in the input') are present to prevent the agent from following malicious commands embedded in the processed data.
- Capability inventory: The
search.pyscript has the capability to write markdown files to the local filesystem using the--persistflag. - Sanitization: Input sanitization for the content being written cannot be fully verified as the logic in
design_system.pyandcore.pyis missing from the provided files. - [Command Execution] (LOW): The skill utilizes a Python script to manage design systems, which includes logic for writing files to the disk based on user-controlled input.
- Path Traversal Risk: In
scripts/search.py, theproject_slugused for directory creation is derived from the--project-nameargument usingreplace(' ', '-'). This does not sanitize for directory traversal characters like..or/, which could allow an attacker to influence where the agent writes files on the system. - Evidence:
project_slug = args.project_name.lower().replace(' ', '-') if args.project_name else 'default'(Line 100).
Audit Metadata