gemini-image
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- DATA_EXFILTRATION (HIGH): The file 'tips/image-upload.md' provides commands that use the 'curl' file-upload prefix ('@'). Evidence: The instruction 'curl -F "fileToUpload=@/path/to/local/image" https://catbox.moe/user/api.php' allows for the transmission of any local file to a public server. Risk: An attacker could use prompt injection to trick the agent into uploading sensitive system files like '~/.ssh/id_rsa' or configuration secrets to public image hosts.
- CREDENTIALS_UNSAFE (HIGH): The skill logic involves reading local secrets and sending them to an untrusted external entity. Evidence: 'SKILL.md' retrieves an API key from 'config/secrets.md' and sends it via an Authorization header to 'https://api.apicore.ai'. Risk: The destination domain and the registration site 'ismaque.org' (referenced in 'config/secrets.example.md' with an affiliate code) are not trusted sources and may be used for credential harvesting.
- COMMAND_EXECUTION (MEDIUM): The skill executes shell commands constructed from user-provided inputs. Evidence: 'SKILL.md' Step 2 interpolates user-provided URLs and text directly into 'curl' command arguments. Risk: In the absence of sanitization, this provides a surface for command argument injection or Server-Side Request Forgery (SSRF).
- PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8). Ingestion points: 'image_URL' and 'description' parameters in 'SKILL.md'. Boundary markers: None present. Capability inventory: Network requests via 'curl' and file system access via the '@' prefix. Sanitization: No input validation or escaping mechanisms are implemented.
Recommendations
- AI detected serious security threats
Audit Metadata