image-generation
Fail
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: CRITICAL
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill utilizes the 'z-ai-web-dev-sdk' package and the 'z-ai' CLI tool. Both resources are legitimate components provided by the vendor 'jjyaoao' and are used for their intended purpose of image generation.\n- [PROMPT_INJECTION]: The skill processes user-provided text prompts to generate images, which presents a surface for indirect prompt injection. While no malicious overrides were found, the skill lacks input sanitization for these prompts.\n
- Ingestion points: The
promptparameter ingenerateImage,generateImageWithSize, and batch processing functions withinSKILL.mdandscripts/image-generation.ts.\n - Boundary markers: None. The prompts are interpolated directly into the API request payload.\n
- Capability inventory: The skill performs local file system writes via
fs.writeFileSyncto save generated images.\n - Sanitization: No validation or filtering of prompt content is implemented before processing.
Recommendations
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata