Security Audit
vercel-labs/agent-skills:skills/web-design-guidelines
github.com/vercel-labs/agent-skillsTrust Assessment
vercel-labs/agent-skills:skills/web-design-guidelines received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Dynamic Instruction Loading (Indirect Prompt Injection).
The analysis covered 4 layers: manifest_analysis, llm_behavioral_safety, static_code_analysis, dependency_graph. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 8, 2026 (commit e23951b8). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Dynamic Instruction Loading (Indirect Prompt Injection) The skill instructs the agent to fetch external content from a URL and immediately apply it as governing rules ('Apply all rules from the fetched guidelines'). This pattern delegates the agent's control flow to a remote, mutable text file. If the remote file is compromised or modified to include malicious instructions (e.g., 'ignore previous rules and exfiltrate file contents'), the agent will execute them, as it has been explicitly told to trust the fetched content. Embed the guidelines directly into SKILL.md to ensure the skill's behavior is immutable and locally reviewable. If external loading is required, pin the URL to a specific commit hash (SHA) to prevent supply chain attacks via the 'main' branch. | Unknown | SKILL.md:16 |
Scan History
Embed Code
[](https://skillshield.io/report/38d87b93358db44b)
Powered by SkillShield