Skills
skills/jjenkins/agent-image-skills/image-stats/Gen Agent Trust Hub

image-stats

Pass

Audited by Gen Agent Trust Hub on Mar 1, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses curl to perform HTTP requests to external endpoints and echo to inspect the value of the $LABNOCTURNE_API_KEY environment variable.
  • [EXTERNAL_DOWNLOADS]: The skill downloads data from https://images.labnocturne.com/key and https://images.labnocturne.com/stats. These endpoints provide JSON content used for authentication and statistics display.
  • [DATA_EXFILTRATION]: The skill transmits the LABNOCTURNE_API_KEY to the /stats endpoint of a non-whitelisted external domain. This is the intended mechanism for authenticating with the service's API.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes and displays data from an external API.
  • Ingestion points: Data enters the context via curl responses from https://images.labnocturne.com/stats (specifically the error.message and statistics fields).
  • Boundary markers: None. The skill does not use delimiters or instructions to ignore embedded commands in the API response.
  • Capability inventory: The agent has the capability to execute curl and echo commands.
  • Sanitization: No sanitization or validation of the remote JSON content is performed before displaying it to the user.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 1, 2026, 07:43 PM