design-context-extract
Pass
Audited by Gen Agent Trust Hub on Apr 19, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it ingests untrusted data from external URLs and images which could contain hidden instructions for the model.
- Ingestion points: External URLs via WebFetch and screenshot analysis via multimodal vision.
- Boundary markers: None explicitly mentioned to isolate untrusted data from the instruction context.
- Capability inventory: The skill has access to Bash (shell), Write (file system), and task management tools.
- Sanitization: No explicit filtering or sanitization of external content is described before it is processed by the agent.
- [COMMAND_EXECUTION]: The skill utilizes the Bash tool and references the execution of
npx shadcn@latest. While this is a common operation for managing design systems and shadcn/ui styles, the interaction between untrusted external data and shell execution is a potential risk factor. - [DATA_EXFILTRATION]: The skill reads sensitive project configuration files such as
tailwind.config.*and CSS files to analyze existing styles. While necessary for its core purpose of design extraction, the combination of broad file system read access and network capabilities (WebFetch) is documented as a data exposure surface.
Audit Metadata