Skills
skills/infquest/vibe-ops-plugin/image-gen/Gen Agent Trust Hub

image-gen

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
  • [DATA_EXFILTRATION] (HIGH): The script image-gen.js uses fs.readFileSync to read a file path provided via the INPUT_IMAGE argument. The content of this file is converted to base64 and sent to an external API (https://internal.infquest.com/...) via fetch.
  • Evidence: const imageBuffer = fs.readFileSync(INPUT_IMAGE); followed by a POST request containing image_url: { url: data:${mimeType};base64,${base64Image} }.
  • Risk: If an attacker or a malicious prompt directs the agent to use a sensitive path (e.g., ~/.ssh/id_rsa or .env) as the input image, the contents of that file will be exfiltrated to the remote server.
  • [COMMAND_EXECUTION] (LOW): The SKILL.md instructions direct the agent to execute the open command on a user-defined output path. While standard for opening files on macOS, it involves executing system commands with paths derived from potentially untrusted user input.
  • [INDIRECT_PROMPT_INJECTION] (LOW): The skill lacks sanitization for user-provided data and processed files.
  • Ingestion points: User prompts via AskUserQuestion and file paths provided to image-gen.js via the INPUT_IMAGE argument.
  • Boundary markers: Absent; user prompts are interpolated directly into the API request.
  • Capability inventory: The script image-gen.js possesses fs.readFileSync (read), fs.writeFileSync (write), and fetch (network) capabilities.
  • Sanitization: None; there is no validation to ensure the INPUT_IMAGE is actually an image or that the PROMPT does not contain injection strings.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 04:36 PM