Skills
skills/eachlabs/skills/vtuber-avatar-generation/Gen Agent Trust Hub

vtuber-avatar-generation

Pass

Audited by Gen Agent Trust Hub on Apr 2, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes curl commands to interact with the EachLabs API endpoint at https://sense.eachlabs.run/chat. This is a standard method for API communication and is used here for its intended purpose of sending prompts and receiving generated asset data.
  • [EXTERNAL_DOWNLOADS]: The skill references external URLs for retrieving generated media, specifically from https://storage.eachlabs.ai. As described in the SSE documentation, the agent is expected to handle image and video URLs returned by the generation service.
  • [DATA_EXFILTRATION]: The skill sends user-provided character descriptions and an API key ($EACHLABS_API_KEY) to the vendor's API. This data transmission is the primary function of the skill and is directed to the official service infrastructure of the author.
  • [PROMPT_INJECTION]: The skill processes external data from the API's Server-Sent Events (SSE), which creates a surface for indirect prompt injection.
  • Ingestion points: API responses from https://sense.eachlabs.run/chat containing fields like text_response and thinking_delta (defined in references/SSE-EVENTS.md).
  • Boundary markers: None identified in the provided instructions.
  • Capability inventory: Network requests via curl as defined in SKILL.md.
  • Sanitization: Not explicitly defined in the provided documentation.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 2, 2026, 06:24 AM