google-image-creator
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local TypeScript scripts (list-models.ts and generate-image.ts) using the npx tsx runner to perform image generation and cost tracking.
- [EXTERNAL_DOWNLOADS]: References official Google AI documentation and pricing (ai.google.dev) and uses npx to run the tsx package from the npm registry. These are well-known and trusted services.
- [COMMAND_EXECUTION]: The skill presents an indirect prompt injection surface. (1) Ingestion points: User-provided image generation prompts are passed as arguments to CLI scripts. (2) Boundary markers: No explicit boundary markers or sanitization instructions are present in the command examples. (3) Capability inventory: Subprocess execution of local scripts with access to the GOOGLE_API_KEY environment variable. (4) Sanitization: No sanitization is documented in the markdown, relying on the underlying script implementation or agent-level safety.
Audit Metadata