thumbnail
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to use
curlfor downloading external assets, such as brand logos and YouTube thumbnails, to the local file system within the./downloads/directory.\n- [EXTERNAL_DOWNLOADS]: Asset retrieval is performed from external web sources, including well-known services like YouTube (img.youtube.com) and other domains discovered through web searches for branding materials.\n- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface as it downloads and processes external image content which may contain adversarial instructions. Ingestion points: YouTube thumbnails and search-sourced images; Boundary markers: none; Capability inventory:curlexecution, file-write operations, and invocation of theart:nanobananaimage generation skill; Sanitization: none.
Audit Metadata