image-generation
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFE
Full Analysis
- [DATA_EXPOSURE]: The skill adheres to security best practices by utilizing environment variables (DOUBAO_API_KEY) and configuration templates to avoid hardcoding sensitive credentials. The local 'config.yaml' is correctly excluded via documentation and templates.
- [EXTERNAL_DOWNLOADS]: The skill communicates exclusively with official Volcengine (ByteDance) API endpoints at 'ark.cn-beijing.volces.com' for image generation and downloads, which is a recognized and well-known service provider.
- [INDIRECT_PROMPT_INJECTION]: The skill provides a surface for indirect prompt injection as it processes user-provided descriptions and file paths.
- Ingestion points: CLI arguments '--prompt' and '--output' in 'scripts/doubao_image_gen.py'.
- Boundary markers: Absent.
- Capability inventory: The script has the ability to fetch data from the network ('requests.get') and write to the local filesystem ('open().write()').
- Sanitization: Input file paths are used directly for asset storage, which is consistent with the skill's primary purpose of image asset management.
- [COMMAND_EXECUTION]: The skill relies on standard Python script execution to interact with the Doubao API, with no evidence of arbitrary or malicious command execution.
Audit Metadata