Skills
skills/jjenkins/labnocturne-image-client/files/Gen Agent Trust Hub

files

Pass

Audited by Gen Agent Trust Hub on Mar 1, 2026

Risk Level: SAFECREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The instruction to run echo $LABNOCTURNE_API_KEY causes the sensitive API key to be printed to the agent's output or log stream during the verification step.
  • [COMMAND_EXECUTION]: The skill uses curl to execute network requests and echo to inspect environment variables.
  • [EXTERNAL_DOWNLOADS]: The skill performs network requests to https://images.labnocturne.com to fetch file lists and temporary authentication keys.
  • [PROMPT_INJECTION]: The skill processes untrusted external data which creates an indirect prompt injection surface.
  • Ingestion points: Data enters the context via JSON responses from the images.labnocturne.com/files endpoint, specifically the filename, id, and error.message fields.
  • Boundary markers: None. The agent is instructed to parse and present these fields directly to the user without delimiters or instructions to ignore embedded commands.
  • Capability inventory: The skill has the capability to execute shell commands (curl) and access environment variables.
  • Sanitization: There is no evidence of sanitization or escaping for the strings returned by the API before they are rendered by the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 1, 2026, 07:11 PM