The Agent Skills Directory

EXTERNAL_DOWNLOADS (MEDIUM): The installation instructions in README.md utilize curl and npx to fetch content from github.com/tylercecchi. This repository and author are not part of the pre-approved trusted sources list. While this is a standard installation pattern for the environment, it introduces a dependency on untrusted external content.
REMOTE_CODE_EXECUTION (MEDIUM): The automated scan detected a pattern where a remote SKILL.md file is downloaded directly into the agent's skill directory (.claude/skills/design-dna/SKILL.md). In this context, the markdown file acts as executable logic for the AI agent, meaning a remote attacker could modify the skill's behavior by updating the file on GitHub.
COMMAND_EXECUTION (MEDIUM): The skill documentation lists commands such as try [change] and generate reference app, which involve the agent writing to the filesystem and potentially executing or previewing generated code. This capability tier increases the risk associated with the untrusted instructions downloaded during installation.
INDIRECT PROMPT INJECTION (LOW): The skill is designed to ingest and process user-provided design definitions (Foundations, Schema, Principles) to generate application structures.
Ingestion points: The agent reads user design input to populate dna/ directory files.
Boundary markers: No specific delimiters or safety warnings are provided in the README or plugin metadata to separate user input from agent instructions.
Capability inventory: The skill can write multiple markdown and YAML files and is intended to 'fabricate' product logic.
Sanitization: There is no evidence of sanitization for user-provided strings before they are incorporated into the 'DNA' structure.

design-dna