photographer-ritts
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFE
Full Analysis
- [DATA_EXPOSURE] (SAFE): The skill requires a
FAL_KEYorcredentials.json. No hardcoded secrets are present. The use of relative path pointers (e.g.,../../../scripts/fal_utils.py) in file contents suggests a monorepo structure where common utilities are shared; this is treated as a configuration pattern rather than a directory traversal attack. - [COMMAND_EXECUTION] (SAFE): The skill utilizes the Bash tool to execute a local Python script (
scripts/fal_generate.py). This is a legitimate use of the tool for its stated purpose of interfacing with the fal.ai API. - [INDIRECT_PROMPT_INJECTION] (LOW): The skill processes untrusted user input to construct prompts for image generation.
- Ingestion points: User-provided descriptions for the image generation CLI.
- Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the prompt construction logic.
- Capability inventory: The skill uses Bash to run scripts and Write to save images.
- Sanitization: No explicit sanitization or input validation logic is shown in the provided files.
Audit Metadata