google-image-search
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill ingests untrusted metadata (titles, snippets, and display links) from external search results which is then used for scoring and potentially for LLM-based selection. \n
- Ingestion points:
scripts/api.py(fetching Google Custom Search results). \n - Boundary markers: Absent in the provided logic; untrusted strings are processed within the scoring engine without explicit delimiters. \n
- Capability inventory: Writing files to the disk (
scripts/download.py) and modifying local Obsidian notes (scripts/obsidian.py). \n - Sanitization:
scripts/output.pyescapes markdown characters for alt-text;scripts/download.pyuses slugification for filenames and magic-byte detection for file types. \n- [Data Exfiltration] (LOW): The skill is designed to access sensitive local information, including API keys stored in.envfiles and the contents of a user's personal markdown notes within an Obsidian vault. While accessing these is necessary for the skill's primary purpose, it constitutes data exposure. \n- [External Downloads] (LOW): The skill's primary function involves downloading binary files from arbitrary external URLs returned by a search engine, which is an expected but inherently risky operation.
Audit Metadata