Web Interface Guidelines

Name: agent-skills/web-design-guidelines
Author: vercel-labs

View on GitHub↗

Share on X Share on LinkedIn Share on Bluesky

100Critical

The skill executes arbitrary remote content from mutable, unauthenticated

ThreatsCI SM CS BC S HITL

Behavior Analysis

Description verified — behavior matches claim

Claims to do

Web Interface Guidelines: Review files for compliance with Web Interface Guidelines.

Actually does

The skill uses `WebFetch` to retrieve web interface guidelines from `https://raw.githubusercontent.com/vercel-labs/web-interface-guidelines/main/command.md`. It then reads specified local files or patterns, applies the fetched guidelines as rules to these files, and outputs findings in a `file:line` format.

Threat Analysis

AI Agent Traps ↗Scanned 4/16/2026

Content InjectionPerception3 findings

Semantic ManipulationReasoningclean

Cognitive StateMemory & Learning1 finding

Behavioural ControlAction2 findings

SystemicMulti-Agent Dynamics1 finding

Human-in-the-LoopHuman Overseerclean

Skill Info

Namevercel-labs/agent-skills/web-design-guidelines

Registrygithub

Version47863b24f8e2

PURLpkg:github/vercel-labs/agent-skills@47863b24f8e2?skill=web-design-guidelines

Stars25,222

Source

Repository ↗SKILL.md ↗

SHA-256f4647ca866a3...

SHA-19d66ad3d7390...

MD598087aedd183...

TLSHc421af61ee06...

Size1,231 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

GitHub

https://github.com/vercel-labs/agent-skills

Skills.shDocs

npx skills add https://github.com/vercel-labs/agent-skills

254,600 installs

Assessments (4)

AI Agent Traps ↗

Remote Prompt Injection via External URL Fetchcriticalprompt injection

The skill instructs the agent to fetch content from an external GitHub URL and then execute that content as rules and 'output format instructions'. This is a classic indirect prompt injection vector: an attacker who controls or compromises the remote repository can inject arbitrary instructions into the agent's reasoning pipeline. The fetched content is explicitly trusted to define behavior ('The fetched content contains all the rules and output format instructions'), meaning a malicious payload at that URL would be executed with full agent privileges.

97% confidenceline 27

Fetch fresh guidelines before each review:
```
https://raw.githubusercontent.com/vercel-labs/web-interface-guidelines/main/command.md
```
Use WebFetch to retrieve the latest rules. The fetched content contains all the rules and output format instructions.

Supply Chain Risk via Unversioned External Contenthighsupply chain

The skill fetches guidelines from a mutable GitHub raw URL pointing to the `main` branch with no pinned commit hash or content integrity check. This means any future push to that repository's main branch immediately changes the instructions the agent executes. An attacker who gains write access to the repository (or performs a repo takeover if the org/repo is abandoned) can silently alter the agent's behavior for all users of this skill.

95% confidenceline 26

https://raw.githubusercontent.com/vercel-labs/web-interface-guidelines/main/command.md

Description Mismatch Enabling Goal Hijackingmediumdescription mismatch

The skill's declared purpose (UI code review for accessibility and design guidelines) does not align with its actual runtime behavior (fetching and executing arbitrary remote content as agent instructions). A user invoking this skill for a benign review task would be unaware that the agent is fetching and acting on externally-controlled instructions. This mismatch conceals the true attack surface from both users and automated skill auditors.

88% confidenceline 3

description: Review UI code for Web Interface Guidelines compliance. Use when asked to "review my UI", "check accessibility", "audit design"...
[vs]
The fetched content contains all the rules and output format instructions.

External guidelines source is a supply chain riskhighsupply chain, rag poisoning, prompt injection

The skill fetches its core 'rules' and 'output format instructions' from an external, unauthenticated URL. A compromise of this external resource could allow an attacker to inject malicious instructions, effectively poisoning the agent's knowledge base and controlling its behavior.

100% confidenceline 22

https://raw.githubusercontent.com/vercel-labs/web-interface-guidelines/main/command.md
The fetched content contains all the rules and output format instructions.

Potential for data exfiltration via malicious guidelineshighdata exfiltration, prompt injection

The skill reads user-specified files and applies rules from an externally controlled source. If these guidelines are compromised, an attacker could craft instructions to exfiltrate the content of the read files.

90% confidenceline 10

Read the specified files
Apply all rules from the fetched guidelines
Output findings using the format specified in the guidelines.

SSRF via Agent-Initiated Outbound WebFetchmediumssrf

The skill instructs the agent to use a WebFetch tool to retrieve content from an attacker-controllable URL. If the remote content is ever modified to include redirect instructions or alternative URLs (e.g., pointing to internal network resources), the agent's WebFetch capability could be abused as an SSRF vector to probe internal infrastructure accessible from the agent's execution environment.

72% confidenceline 29

Use WebFetch to retrieve the latest rules.

Autonomy Abuse via Unconditional Remote Fetchmediumautonomy abuse

The skill mandates the agent fetch external content before every review ('Fetch fresh guidelines before each review') without any user confirmation or opportunity to inspect what is being fetched and executed. This pattern removes human oversight from a critical trust boundary — the agent autonomously loads and acts on externally-sourced instructions every time the skill is triggered.

85% confidenceline 33

Fetch fresh guidelines before each review:
1. Fetch guidelines from the source URL above
2. Read the specified files
3. Apply all rules from the fetched guidelines
4. Output findings using the format specified in the guidelines

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/github/vercel-labs/agent-skills/web-design-guidelines.svg)](https://mondoo.com/ai-agent-security/skills/github/vercel-labs/agent-skills/web-design-guidelines)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/github/vercel-labs/agent-skills/web-design-guidelines"><img src="https://mondoo.com/ai-agent-security/api/badge/github/vercel-labs/agent-skills/web-design-guidelines.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/github/vercel-labs/agent-skills/web-design-guidelines.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow