Skills
skills/jjenkins/agent-image-skills/image-upload/Gen Agent Trust Hub

image-upload

Warn

Audited by Gen Agent Trust Hub on Mar 1, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructions direct the agent to use shell utilities (ls and curl) with file paths provided directly by the user. If the agent does not properly sanitize the path input, this creates a risk of command injection where an attacker could use shell metacharacters (e.g., semicolons, pipes, or backticks) to execute arbitrary commands.
  • [EXTERNAL_DOWNLOADS]: The skill is configured to automatically fetch a temporary API key from https://images.labnocturne.com/key when a local key is not provided in the environment. This constitutes an external network request to a vendor-controlled endpoint to retrieve runtime configuration.
  • [DATA_EXFILTRATION]: The primary function of the skill is to transmit local data to a remote server (images.labnocturne.com). The skill includes a mitigation by enforcing an extension whitelist (jpg, jpeg, png, gif, webp, svg) to prevent the upload of sensitive text-based configuration or credential files, but the core capability of transferring local data to an external destination remains a notable security behavior.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 1, 2026, 07:43 PM