gpt-image-2-skill
Fail
Audited by Gen Agent Trust Hub on Apr 25, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs users to run an external tool directly from a Git repository using
uvx. Evidence:uvx --from git+https://github.com/wuyoscar/gpt_image_2_skill gpt-image -p "a cat astronaut". - [EXTERNAL_DOWNLOADS]: Installation instructions direct users to download and install tools and plugins from a repository (
wuyoscar/gpt_image_2_skill) that is not a recognized trusted vendor or well-known service. - [DATA_EXFILTRATION]: The skill's documentation indicates that the CLI and internal logic read the
~/.envfile to access theOPENAI_API_KEY. While this is common for CLI tools, reading from sensitive file paths is flagged as data exposure. - [COMMAND_EXECUTION]: Provides multiple examples of shell command execution (e.g.,
gpt-image -p ...) involving an externally downloaded executable, which increases the risk surface for system compromise if the external code is malicious. - [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection by ingesting untrusted user prompts and reference images, then using them in sensitive operations like writing to the filesystem (
Path.write_bytes) and making network calls to the OpenAI API without explicit sanitization markers. Evidence: 1. Ingestion points: User prompts and reference images (SKILL.md); 2. Boundary markers: Absent; 3. Capability inventory: Filesystem write, Network access (openai client), Shell execution (gpt-image); 4. Sanitization: Absent.
Recommendations
- AI detected serious security threats
Audit Metadata