ads-generate
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting untrusted data from external files and passing it to subordinate agents.
- Ingestion points: Reads
campaign-brief.md(markdown) andbrand-profile.json(JSON) to extract prompts and style instructions. - Boundary markers: The instructions do not specify any delimiters or warnings to the sub-agents (e.g.,
visual-designer) to ignore instructions embedded within the brief data. - Capability inventory: The skill and its sub-agents have the capability to write to the file system (
./ad-assets/,generation-manifest.json), spawn further agents (visual-designer,format-adapter), and execute CLI commands (/banana generate). - Sanitization: There is no evidence of validation or sanitization of the content extracted from the campaign brief before it is interpolated into agent prompts.
- [COMMAND_EXECUTION]: The skill relies on several external and local execution patterns to function.
- It executes shell-like commands via the
/bananainterface (e.g.,/banana setup,/banana generate). - It references a local Python script
scripts/generate_image.pyas a fallback mechanism. - It performs file system operations on the user's home directory, specifically reading and writing to
~/.banana/and~/.claude/skills/ads/references/for configuration, pricing, and cost tracking.
Audit Metadata