carousel-generator
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [External Downloads] (SAFE): The skill requires the installation of the 'pillow' library from PyPI, which is a standard and trusted package for image processing. \n- [Command Execution] (LOW): The skill instructions involve executing a local Python script ('tools/generate-carousel.py') to generate image files. While functional for the tool's purpose, this represents a capability to execute code on the host system. \n- [Indirect Prompt Injection] (LOW): The skill processes user-provided markdown and JSON files, creating an attack surface where malicious input could attempt to influence the agent's behavior or generation output. \n
- Ingestion points: Untrusted data enters via 'input_file' as specified in the SKILL.md and references/input-formats.md. \n
- Boundary markers: Absent; no specific delimiters or instructions to the agent regarding the handling of embedded instructions in data were found. \n
- Capability inventory: The skill executes a Python script with the ability to read input files and write PNG files to the output directory. \n
- Sanitization: No sanitization or input validation logic is described in the provided skill documentation or configuration files.
Audit Metadata