baoyu-image-gen
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill's primary entry point is a TypeScript script intended to be executed via
npxusing the Bun runtime. - [EXTERNAL_DOWNLOADS]: The skill communicates with the official API endpoints of Google (generativelanguage.googleapis.com), OpenAI (api.openai.com), and DashScope (dashscope.aliyuncs.com). These are well-known technology services used to facilitate the image generation process.
- [DATA_EXFILTRATION]: The skill transmits user-provided prompts and reference images to the selected cloud provider's API over HTTPS. It also retrieves API keys from environment variables and local
.envfiles located in the project or home directory, which is a standard practice for local development tools. - [PROMPT_INJECTION]: The skill processes text input from command-line arguments, project files, or standard input to be used as prompts for generative models. It includes the following characteristics:
- Ingestion points: Prompt text from
--prompt, contents of files from--promptfiles, and standard input viaBun.stdin.text()inscripts/main.ts. - Boundary markers: No explicit delimiters are used to wrap or isolate the injected prompt content.
- Capability inventory: The skill possesses the ability to make network requests (fetch) and perform file system operations (read/write images).
- Sanitization: Prompts are passed directly to the external APIs without modification or escaping, which is consistent with the skill's primary purpose of image generation.
Audit Metadata