thumbnail-creator
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [Prompt Injection] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection because it processes untrusted external content and converts it into prompts for the agent to follow. 1. Ingestion points: 'youtube_url' in 'analyze_video', 'generate_seo_titles', and 'generate_seo_description'; 'image_url' in 'create_face' (SKILL.md). 2. Boundary markers: Absent; there are no instructions for the agent to isolate or ignore embedded commands in the retrieved video data. 3. Capability inventory: The skill possesses side-effect capabilities (creating permanent face models, generating thumbnails that consume credits) and its output 'ready-to-use prompts' directly influence the agent's next logical steps. 4. Sanitization: No sanitization or validation of the remote content is mentioned or implemented.
- [Data Exposure & Exfiltration] (LOW): The skill performs network requests to 'app.thumbcraft.io', which is not a whitelisted domain. While necessary for the skill's functionality, it constitutes an external communication channel that could be used for data exfiltration if combined with sensitive data access.
Recommendations
- AI detected serious security threats
Audit Metadata