fal-ai-media
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs users to install the
fal-ai-mcp-servervianpx. This package is the official tool for interacting with the fal.ai media generation service. - [COMMAND_EXECUTION]: Recommended configuration involves executing the MCP server using
npx, which is a common practice for running Node.js-based tools. - [DATA_EXFILTRATION]: Provides a Python template that utilizes the
requestslibrary to communicate with the ElevenLabs API (api.elevenlabs.io). This network activity is used to facilitate legitimate text-to-speech generation. - [PROMPT_INJECTION]: The skill processes untrusted user input as prompts for media generation models, creating a surface for indirect prompt injection.
- Ingestion points: User-defined strings in the
promptandtextparameters across various tools and code snippets. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the prompt templates.
- Capability inventory: The skill uses tools for file uploading (
upload), network-based generation (generate), and external API calls via Python (requests). - Sanitization: There is no evidence of input sanitization or validation before the prompts are sent to the AI models.
Audit Metadata