gemini-svg-creator
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill depends on the @rlabs-inc/gemini-mcp server, which is obtained via npx. This download is a core requirement for the tool's functionality.
- [COMMAND_EXECUTION]: Configuration instructions use the claude mcp add command. This is intended for user-driven environment setup and is clearly explained.
- [CREDENTIALS_UNSAFE]: The skill requires a GEMINI_API_KEY and provides placeholders for the user to input their own key. No sensitive credentials or hardcoded secrets are included in the skill files.
- [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface as it processes external data. Evidence: (1) Ingestion points: user-provided SVG descriptions in SKILL.md. (2) Boundary markers: prompts use structured headers like 'Now create:'. (3) Capability inventory: network access via mcp__gemini__gemini-query and file writing in SKILL.md. (4) Sanitization: Claude performs validity checks and optimization in Steps 4 and 6.
Audit Metadata