The skill introduces supply chain risks by fetching unpinned external assets and insecurely piping API responses directly into local files, enabling potential arbitrary code injection.
npx skills add https://github.com/sleekdotdesign/agent-skillsThe skill instructs the agent to fetch SVGs from `api.iconify.design` and embed them into the codebase. This introduces a dependency on an external, unpinned service that could be used to inject malicious SVG payloads into the user's project.
GET https://api.iconify.design/{prefix}/{name}.svgThe instructions encourage piping API responses directly into files on the local system. If the API endpoint is compromised or if an attacker can influence the `code` field in the JSON response, this could lead to arbitrary file writes or code injection.
Instead, use shell commands to fetch the API response and write it directly to disk (e.g., pipe the response body into a file).
Skill does not specify a license field. Specifying a license helps users understand usage terms.
[](https://mondoo.com/ai-agent-security/skills/github/sleekdotdesign/agent-skills/sleek-design-mobile-apps)<a href="https://mondoo.com/ai-agent-security/skills/github/sleekdotdesign/agent-skills/sleek-design-mobile-apps"><img src="https://mondoo.com/ai-agent-security/api/badge/github/sleekdotdesign/agent-skills/sleek-design-mobile-apps.svg" alt="Mondoo Skill Check" /></a>https://mondoo.com/ai-agent-security/api/badge/github/sleekdotdesign/agent-skills/sleek-design-mobile-apps.svgSkills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.