web-asset-generator
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (HIGH): The skill ingests untrusted data from users to perform file system modifications. * Ingestion points: Text, emoji descriptions, and source image paths in generate_favicons.py and generate_og_images.py. * Boundary markers: No markers or delimiters are used to separate untrusted user input from system instructions. * Capability inventory: The skill can write files to the local file system and execute subprocesses. * Sanitization: No sanitization of user-provided paths or text is mentioned, posing a risk of path traversal or further injection.
- Command Execution (HIGH): The skill's operational model involves the agent constructing shell commands using user-supplied strings. This is a high-risk pattern for command injection.
- External Downloads (LOW): The skill depends on third-party Python packages (Pillow, pilmoji, emoji) from standard registries.
- Privilege Escalation (LOW): The installation instructions suggest using --break-system-packages, which is a poor security practice but doesn't constitute a malicious privilege escalation finding in this context.
Recommendations
- AI detected serious security threats
Audit Metadata