Security risk report for @forgecat/openai_skills_frontend-skill v0.0.10
Source Integrity
Low
Profile metadata declares OpenAI as author with a legitimate GitHub repository URL and Apache-2.0 license.
No instructions to fetch external payloads, install untrusted dependencies, or execute remote code.
Agent Intent
Low
Content is a legitimate design skill guide describing frontend composition, hierarchy, imagery, and motion best practices.
No instructions to manipulate the AI, ignore system prompts, exfiltrate data, or perform malicious actions.
No guidance poisoning: recommendations are standard design principles (whitespace, typography, imagery) with no typosquatted packages, backdoored templates, or security-weakening directives.
Details
Evidence
Entire SKILL.md is a design methodology document with sections like 'Beautiful Defaults', 'Landing Pages', 'Apps', 'Imagery', 'Copy', and 'Motion'.
Example guidance: 'Start with composition, not components', 'Prefer a full-bleed hero', 'Limit the system: two typefaces max' — all legitimate design constraints.
No references to credentials, system prompts, tool definitions, or external exfiltration.
Permissions
Low
No tools or skills are declared in the profile.
No file_write, shell, web_fetch, or other high/medium-risk categories are requested.
The skill is purely instructional guidance for the AI to apply when generating frontend code and designs.
Details
Evidence
'## Dependencies' section lists 'None'.
'## Declared tools' section is empty.
No MCP servers or tool definitions present.
MCP Risk
Low
No MCP servers are defined in the profile.
No tool descriptions, binary execution, or network/filesystem access is configured.
Details
Evidence
'## MCP servers (untrusted data)' section is empty.
Profile contains only markdown documentation and metadata.