gemini-image
Warn
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill logic directs the agent to read user-provided credentials from
config/secrets.mdand transmit them to an unverified third-party endpoint (https://api.apicore.ai/v1/images/generations) rather than a direct, well-known AI provider. - [DATA_EXFILTRATION]: The documentation in
tips/image-upload.mdprovides a command template for uploading files tocatbox.moeusingcurl -F "fileToUpload=@path". This pattern is highly susceptible to exfiltrating sensitive local files (e.g., SSH keys or environment files) if the path parameter is manipulated via prompt injection. - [EXTERNAL_DOWNLOADS]: The skill interacts with several external, non-whitelisted domains including
api.apicore.ai,catbox.moe, andlitterbox.catbox.moefor its primary operations. - [COMMAND_EXECUTION]: The skill relies on constructing and executing
curlcommands to communicate with remote APIs and upload services. - [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection as it processes untrusted external data (image URLs and user prompts) that are interpolated directly into shell commands.
- Ingestion points: Image URLs and prompt text processed in
SKILL.md. - Boundary markers: Absent; no delimiters are used to separate user input from the command structure.
- Capability inventory: Access to
curlwith the ability to read local files via the@prefix. - Sanitization: Absent; no validation or escaping is performed on the user-provided URLs or descriptions.
Audit Metadata