art
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No security issues were detected. The skill follows established best practices for agent tool development.
- [COMMAND_EXECUTION]: The skill invokes a local Bun script (
tools/generate-image.ts) to manage image generation tasks. This script is self-contained and performs only the actions required for its stated visual generation purpose. - [EXTERNAL_DOWNLOADS]: Network operations are restricted to communication with well-known and trusted service providers, specifically the Google Gemini API for image generation and remove.bg for optional background removal. These are well-known technology services and are treated as safe sources.
- [CREDENTIALS_UNSAFE]: The skill avoids hardcoding secrets. It retrieves required API keys (GOOGLE_API_KEY and REMOVEBG_API_KEY) from a local configuration file at
~/.claude/.env, which is a standard and secure method for local credential management in this context. - [DATA_EXFILTRATION]: No unauthorized data transmission was found. The tool does not access sensitive system files (such as SSH keys or global environment variables) and only transmits data necessary to fulfill the user's image generation requests to the intended API endpoints.
Audit Metadata