avatar-builder
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADS
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the 'mcp-avatar-builder' package from the npm registry using the 'npx' command, which is a standard deployment method for MCP servers.
- [SAFE]: No malicious patterns, such as prompt injection, data exfiltration, or obfuscation, were detected in the skill's instructions or tool definitions. The functionality is restricted to local image generation.
- [SAFE]: The risk of indirect prompt injection is negligible; while the 'generate_avatar' tool ingests user-controlled data via the 'seed' and 'options' parameters (SKILL.md) without specific boundary markers or sanitization, the skill lacks dangerous capabilities such as file system access or command execution to exploit this surface.
Audit Metadata