CtrlK
BlogDocsLog inGet started
Tessl Logo

design-shotgun

Design shotgun: generate multiple AI design variants, open a comparison board, collect structured feedback, and iterate. Standalone design exploration you can run anytime. Use when: "explore designs", "show me options", "design variants", "visual brainstorm", or "I don't like how this looks". Proactively suggest when the user describes a UI feature but hasn't seen what it could look like. (gstack)

Invalid
This skill can't be scored yet
Validation errors are blocking scoring. Review and fix them to unlock Quality, Impact and Security scores. See what needs fixing →
SKILL.md
Quality
Evals
Security

Security

2 findings — 1 critical severity, 1 medium severity. Installing this skill is not recommended: please review these findings carefully if you do intend to do so.

Critical

E004: Prompt injection detected in skill instructions

What this means

Detected a prompt injection in the skill instructions. The skill contains hidden or deceptive instructions that fall outside its stated purpose and attempt to override the agent’s safety guidelines or intended behavior.

Why it was flagged

Potential prompt injection detected (medium risk: 0.60). The skill embeds many cross-cutting operational instructions (telemetry logging, gbrain sync/brain-publish prompts, automatic touches/analytics writes, and flows that can append/commit CLAUDE.md or remove vendored files) that go beyond "generate design variants" and could mutate repos or enable remote sync — behavior outside the skill's stated purpose and thus a hidden/deceptive instruction risk.

Report incorrect finding
Medium

W011: Third-party content exposure detected (indirect prompt injection risk)

What this means

The skill exposes the agent to untrusted, user-generated content from public third-party sources, creating a risk of indirect prompt injection. This includes browsing arbitrary URLs, reading social media posts or forum comments, and analyzing content from unknown websites.

Why it was flagged

Third-party content exposure detected (high risk: 0.80). The skill's preamble and "GBrain Sync" workflow explicitly fetch and merge remote git data from the user's ~/.gstack brain repo and runs gstack-brain-sync (git fetch/merge + brain-sync), and it reads remote/third-party-sourced brain/profile files (and can open external URLs like https://garryslist.org) which are then consumed to bias generation, suggest skills, and influence next actions — exposing the agent to untrusted third-party content that can change behavior.

Report incorrect finding
Repository
garrytan/gstack
Commit

db9447c

Audited
Security analysis
Snyk

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.

Claim skill