design-ship
Fail
Audited by Gen Agent Trust Hub on Apr 19, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is highly vulnerable to shell command injection in Phase 4. It constructs a shell command using an f-string to embed the
pr_bodyvariable (which contains untrusted data such as thebundle_idand component names) directly into a bash herestring:Bash(f"gh pr create ... <<< '{pr_body}' ..."). An attacker-controlled design bundle could include single quotes in these fields to terminate the string and execute arbitrary shell commands on the host system. - [COMMAND_EXECUTION]: The skill exhibits a path traversal vulnerability in Phase 5 and Phase 3. It uses the untrusted
bundle_idfrom the design bundle to construct file paths for writing provenance data (.claude/design-handoffs/{bundle_id}.json) and saving screenshots. Without sanitization, a maliciousbundle_id(e.g.,../../.ssh/authorized_keys) could be used to overwrite sensitive files. - [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) as it processes data from external URLs or local JSON files without sanitization or boundary markers.
- Ingestion points: The skill accepts a
<handoff-url>orpath-to-bundle.jsonwhich it then parses to drive the automation pipeline. - Boundary markers: There are no delimiters or instructions to the agent to ignore embedded commands within the design bundle data.
- Capability inventory: The skill possesses extensive capabilities, including
Bash(shell execution),Write(file modification), andAgent(delegation to subagents with tool access). - Sanitization: There is no evidence of escaping, validation, or filtering of the content retrieved from the design bundle before it is used to template the PR body or generate test code via subagents.
Recommendations
- AI detected serious security threats
Audit Metadata