baoyu-cover-image
Pass
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill contains instructions in
references/base-prompt.mdthat direct the downstream image generation model to bypass standard safety refusals regarding sensitive or copyrighted figures, instructing it to 'create stylistically similar alternatives' and 'DO NOT refuse to generate'. - [COMMAND_EXECUTION]: The workflow instructions in
references/workflow/prompt-template.mdandreferences/workflow/reference-images.mdassume the agent has the capability to execute shell-like verification commands, such astest -f, to check for the existence of reference files before proceeding. - [INDIRECT_PROMPT_INJECTION]: The skill creates an attack surface by ingesting untrusted data (article titles and summaries) and interpolating them into prompts for image generation tools without robust sanitization or delimiters.
- Ingestion points: User-provided article content is saved to
source.mdand processed during the analysis step. - Boundary markers: The prompt template in
references/workflow/prompt-template.mduses plain text headers (e.g., 'Article title:') to separate untrusted content from instructions, which may be insufficient to prevent content from influencing the agent's logic. - Capability inventory: The skill performs file system operations (read/write in
refs/,prompts/, and config directories), executes status checks (impliedtest -f), and invokes external image generation tools. - Sanitization: No explicit sanitization or validation is defined for the content extracted from the source article before it is inserted into the final generation prompt.
Audit Metadata