Security Audit
vercel-labs/agent-skills:skills/web-design-guidelines
github.com/vercel-labs/agent-skillsTrust Assessment
vercel-labs/agent-skills:skills/web-design-guidelines received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Remote Instruction Injection via External Guidelines, Potential Data Exfiltration via Arbitrary File Read.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on April 1, 2026 (commit 8c56b3d4). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Remote Instruction Injection via External Guidelines The skill fetches guidelines and instructions from an external URL (`https://raw.githubusercontent.com/vercel-labs/web-interface-guidelines/main/command.md`) and then explicitly states that the fetched content 'contains all the rules and output format instructions'. This means the LLM's behavior, including its processing logic and output format, is directly controlled by content from an external, untrusted source. A compromise of this GitHub repository or the `command.md` file would allow an attacker to inject arbitrary instructions into the LLM's context, leading to prompt injection and potentially dictating the LLM's actions, including data exfiltration or misuse of available tools. Do not fetch executable instructions or rules from untrusted external sources. If external data is required, it should be strictly data (e.g., JSON, YAML) and parsed by a secure, sandboxed interpreter, not directly fed as instructions to the LLM. Consider embedding rules directly in the skill or using a trusted, version-controlled source with integrity checks. | LLM | SKILL.md:18 | |
| HIGH | Potential Data Exfiltration via Arbitrary File Read The skill is designed to 'Read the specified files'. In conjunction with the remote instruction injection vulnerability (SS-LLM-001), a compromised external guideline source (`command.md`) could instruct the LLM to read arbitrary files from the filesystem (e.g., sensitive configuration files, user data, environment variables). The content of these files could then be exfiltrated, for example, by being included in the 'output findings' that the LLM generates, or by using other available tools if instructed by the injected prompt. Restrict file access to a predefined, safe scope (e.g., only files within a specific project directory, or only files explicitly provided by the user and validated). Implement strict input validation for file paths. Ensure that the LLM's output channels are monitored and restricted to prevent exfiltration of sensitive data. | LLM | SKILL.md:29 |
Scan History
Embed Code
[](https://skillshield.io/report/38d87b93358db44b)
Powered by SkillShield