image-gen
Fail
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is vulnerable to shell command injection in
SKILL.mdduring the Ideogram generation process. User-controlled variables, including the image prompt ($PROMPT) and reference image paths ($CHAR_REF_PATH,$STYLE_REF_PATH), are interpolated into a command string that is executed via theevalcommand. This allows an attacker to execute arbitrary shell commands by including metacharacters like semicolons, backticks, or pipes in their input.\n- [EXTERNAL_DOWNLOADS]: The skill interacts with external APIs atapi.ideogram.aiandgenerativelanguage.googleapis.comto generate images. It programmatically downloads and saves these files to the local filesystem at~/image-gen/and opens them automatically using the system'sopencommand.\n- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface because it ingests untrusted user data and uses it in operations with significant system capabilities without proper sanitization or boundary markers.\n - Ingestion points: User-provided prompts and file paths from command arguments in
SKILL.md.\n - Boundary markers: Absent; inputs are directly interpolated into shell commands and JSON request bodies.\n
- Capability inventory: Execution of shell commands (
curl,mkdir,eval), file writing (python3), and opening local files.\n - Sanitization: No escaping or validation is performed on user inputs before they are used in high-privilege operations.
Recommendations
- AI detected serious security threats
Audit Metadata