Skills
skills/build000r/skills/throngterm-sprite/Gen Agent Trust Hub

throngterm-sprite

Pass

Audited by Gen Agent Trust Hub on Mar 19, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script generate-logo-pack.js executes a hardcoded Python script via spawnSync to handle background transparency. This execution is a primary function of the skill and utilizes safe argument passing methods to interact with the Python interpreter.
  • [EXTERNAL_DOWNLOADS]: The skill requires the Python Pillow library for raster image processing. The tool provides clear instructions to the user to install this dependency using standard package managers if it is not already present.
  • [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface in generate-logo-pack.js. 1. Ingestion points: The --name CLI argument is interpolated into SVG <title> and aria-label attributes. 2. Boundary markers: Absent. 3. Capability inventory: The skill writes SVG files to the local .throngterm/sprites directory. 4. Sanitization: Absent. Malicious input provided to the name argument could be used to inject attributes into the resulting SVG metadata.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 19, 2026, 11:41 AM