Skills
skills/ccalebcarter/purria-skills/gemini-image-generator/Gen Agent Trust Hub

gemini-image-generator

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • [EXTERNAL_DOWNLOADS] (LOW): The script scripts/recraft_process.py downloads content from URLs provided by the Recraft API response and writes them to local files.
  • [DATA_EXFILTRATION] (LOW): The skill transmits local image files to the Recraft API (external.api.recraft.ai) for processing (background removal and vectorization). While this is the intended functionality, it involves sending data to a non-whitelisted third-party domain.
  • [REMOTE_CODE_EXECUTION] (SAFE): No dynamic code execution (eval/exec) or piped remote script execution was detected. The skill uses standard API clients.
  • [CREDENTIALS_UNSAFE] (SAFE): API keys are correctly managed via environment variables (GEMINI_API_KEY, RECRAFT_API_KEY). No hardcoded secrets were found.
  • [INDIRECT_PROMPT_INJECTION] (LOW): The skill ingests untrusted user input via the --prompt argument and interpolates it directly into the Gemini API call.
  • Ingestion points: args.prompt in scripts/generate.py.
  • Boundary markers: None; input is passed as a raw string to the model.
  • Capability inventory: File writing via Image.save and os.makedirs.
  • Sanitization: None detected.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 05:53 PM