frontend-design-extractor
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill instructs the agent to run local shell scripts, specifically
scripts/scan_ui_sources.shandscripts/generate_output_skeleton.sh. - Evidence: These scripts are referenced in the 'Quick start' and 'Workflow' sections as required steps for inventorying UI sources and scaffolding output directories.
- Risk: The contents of these scripts are not included in the skill definition, making them unverifiable. This allows for the execution of arbitrary, potentially malicious commands on the user's system if the scripts are tampered with or poorly authored.
- [PROMPT_INJECTION] (HIGH): The skill is susceptible to Indirect Prompt Injection (Category 8) due to its core function of processing external codebases.
- Ingestion points: The skill reads and analyzes arbitrary files within a target frontend repository (e.g., React, Vue, or Next.js projects).
- Boundary markers: No boundary markers or 'ignore' instructions are defined to separate the untrusted codebase content from the agent's internal instructions.
- Capability inventory: The skill allows the agent to execute shell scripts and write files to the local filesystem (under the
ui-ux-spec/directory). - Sanitization: There is no evidence of sanitization or filtering of the content extracted from the external codebase before it is used to generate refactor plans or documentation.
- Risk: A malicious repository could contain instructions hidden in code comments, README files, or metadata that could trick the agent into executing unauthorized shell commands or exfiltrating sensitive data found during the 'source inventory' phase.
Recommendations
- AI detected serious security threats
Audit Metadata