imagegen
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Privilege Escalation] (MEDIUM): The file 'references/codex-network.md' provides explicit instructions for disabling network approval prompts and relaxing sandbox constraints (e.g., using '--ask-for-approval never'). This guidance encourages bypassing security guardrails intended to protect the host system during networked operations.
- [Unverifiable Dependencies] (LOW): The skill requires installation of the 'openai' and 'pillow' Python packages without version pinning. While 'openai' is from a trusted organization, 'pillow' is not specifically listed in the trusted scope, and unpinned installations represent a minor supply-chain risk.
- [Indirect Prompt Injection] (LOW): The skill processes arbitrary user prompts and interpolates them into a structured specification passed to a CLI tool. This creates a surface for indirect prompt injection.
- Ingestion points: User prompts and input images are ingested via 'SKILL.md' instructions.
- Boundary markers: The skill uses a structured template (e.g., 'Use case:', 'Constraints:') to delimit input fields.
- Capability inventory: The skill executes a local script 'scripts/image_gen.py', writes and deletes temporary JSONL files in 'tmp/', and performs network operations to the OpenAI API.
- Sanitization: Instructions specify 'prompt augmentation' to improve structure but do not define explicit sanitization or escaping of the user-provided text.
- [Command Execution] (LOW): The skill relies on executing a local script 'scripts/image_gen.py' and performing file system operations (write/delete) in the 'tmp/' directory. While these are necessary for the skill's function, they represent an execution surface dependent on an unprovided script.
Audit Metadata