ui-first-builder
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (HIGH): The skill identifies 'UI creation' and 'page building' from user descriptions as triggers for code generation. (1) Ingestion points: User-provided descriptions and context from 'CLAUDE.md'. (2) Boundary markers: Absent. There are no instructions to the agent to distinguish between design instructions and malicious embedded prompts. (3) Capability inventory: High-risk file-write access across the 'src/' directory including 'app/', 'components/', and 'lib/'. (4) Sanitization: Absent. The instruction to 'infer everything from context' and 'never ask questions' creates a high-confidence path for an attacker to inject malicious logic (e.g., XSS or credential theft scripts) into the generated React components.
- Command Execution (MEDIUM): The skill instructions ('ask shadcn to add') and checklist ('npm run dev will work') imply the execution of shell commands and build processes based on the generated content.
- External Downloads (LOW): The reliance on 'shadcn/ui' components involves fetching external code at runtime. Per [TRUST-SCOPE-RULE], while shadcn is a known tool, its integration here facilitates the execution of remote code generated from or influenced by untrusted descriptions.
Recommendations
- AI detected serious security threats
Audit Metadata