fal-image-edit
Fail
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/edit-image.shis vulnerable to command injection. It uses an unquoted heredoc (cat <<EOF) to construct the JSON payload. This allows the shell to perform command substitution on variables like$PROMPTand$IMAGE_URL. An attacker-controlled prompt (e.g.,$(whoami)) would be executed by the system shell during the payload construction. - [DATA_EXFILTRATION]: The command injection vulnerability can be leveraged to exfiltrate sensitive data. An attacker could provide an input like
$(cat .env)which would read the stored API key and include it in the request body sent to the external API endpoint atfal.run. - [CREDENTIALS_UNSAFE]: The skill implements a setup routine (
--add-fal-key) that encourages users to store theirFAL_KEYin a plaintext.envfile within the skill's directory. This exposes sensitive credentials to any local process or user with file system access. - [PROMPT_INJECTION]: The skill exhibits metadata poisoning by claiming the author is
fal-aiin theSKILL.mdfrontmatter, which contradicts the actual author identity. This deceptive metadata could mislead users or automated systems into granting higher trust to the skill's operations.
Recommendations
- AI detected serious security threats
Audit Metadata