fal-image-edit
Fail
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/edit-image.shuses an unquoted heredoc (<<EOF) to construct thePAYLOADvariable. This causes the shell to evaluate and execute any command substitutions, such as$(...)or backticks, found within the$PROMPTvariable during string assignment. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes user-provided prompts without sanitization or boundary markers before passing them to a shell-evaluated context.
- Ingestion points: The
PROMPTvariable inscripts/edit-image.sh, which is sourced directly from the--promptcommand-line argument. - Boundary markers: Absent; user input is interpolated directly into a shell context without delimiters or instructions to ignore embedded commands.
- Capability inventory: The script utilizes
curlfor network requests, performs local file writes, and executes file contents via thesourcecommand. - Sanitization: Absent; there is no validation, escaping, or filtering of the prompt input before it is used in the shell payload construction.
- [DATA_EXFILTRATION]: The command expansion vulnerability allows for the execution of arbitrary commands that can read and transmit sensitive data, such as the
FAL_KEYor local system files, to external attacker-controlled endpoints. - [CREDENTIALS_UNSAFE]: The script includes functionality to store the fal.ai API key in plain text within a local
.envfile and uses the shell'ssourcecommand to load it, which executes the file's content as code and exposes the secret to any process with file read access.
Recommendations
- AI detected serious security threats
Audit Metadata