publish-image-text-skill
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [SAFE]: No malicious patterns or security risks detected. The script communicates only with a local server by default and uses environment variables for parameter passing.
- [COMMAND_EXECUTION]: Executes a local script (publish.mjs) via Node.js to interact with an MCP server. This is the intended behavior for the publishing functionality and does not involve arbitrary command injection.
- [PROMPT_INJECTION]: (Indirect) The skill handles user-provided text which is forwarded to a local server.
- Ingestion points: scripts/publish.mjs (via environment variables).
- Boundary markers: Absent.
- Capability inventory: Bash execution of local scripts and HTTP POST requests to a local API.
- Sanitization: Absent; input is forwarded as-is, relying on the receiving server for validation.
Audit Metadata