generate
Pass
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: SAFE
Full Analysis
- [SAFE] (SAFE): No malicious patterns or security vulnerabilities were detected.
- The script
scripts/image.pyutilizes the officialgoogle-genaiclient library to interact with Google's services. - API keys are retrieved from the environment (
GEMINI_API_KEY), which is a secure practice. - File system operations are limited to reading provided reference images and saving the generated output to the specified path.
- [Indirect Prompt Injection] (SAFE): The skill identifies a potential data ingestion surface for user-provided prompts.
- Ingestion points: The
--promptand--referencearguments inscripts/image.pyingest data that is then sent to the AI model. - Boundary markers: None; the prompt is directly concatenated with aspect ratio instructions.
- Capability inventory: The skill has network access (via the Gemini client) and file read/write capabilities (for image processing).
- Sanitization: No sanitization is performed on the prompt text, but since the output is a generated image, the risk of downstream command or code execution is negligible.
Audit Metadata