Skills
skills/giggle-official/skills/giggle-product-poster/Gen Agent Trust Hub

giggle-product-poster

Pass

Audited by Gen Agent Trust Hub on Apr 8, 2026

Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill reads a local file from a path provided by the user and uploads it to the giggle.pro API for processing. This behavior is consistent with the skill's stated purpose of image-to-image generation.
  • [COMMAND_EXECUTION]: The skill executes a local Python script, scripts/generate_poster.py, to process the user's image and interact with the remote API.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it processes untrusted user data.
  • Ingestion points: User input is collected in SKILL.md (Stage 1) for the product image path, product info, and marketing details.
  • Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are used when interpolating user data into the generation prompt.
  • Capability inventory: The script scripts/generate_poster.py has the capability to read arbitrary local files and perform network operations using the requests library.
  • Sanitization: There is no validation to ensure the provided file path points to an image file, nor is the user-provided text sanitized before being sent to the generation API.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 8, 2026, 01:14 AM