Skills
skills/konghayao/zen-code/gen-image/Gen Agent Trust Hub

gen-image

Pass

Audited by Gen Agent Trust Hub on Mar 9, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes a local Node.js script scripts/image.mjs to perform image generation and editing tasks.
  • [EXTERNAL_DOWNLOADS]: The script communicates with Google's official Generative Language API (generativelanguage.googleapis.com) to process image requests. This is a well-known service and the communication is required for the skill's primary purpose.
  • [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it processes user-provided prompts and input images to generate content via an LLM/Image model.
  • Ingestion points: User-provided strings in the prompt argument and content from local image files passed to scripts/image.mjs.
  • Boundary markers: None identified; user input is directly interpolated into the API request body.
  • Capability inventory: The script can read local files (fs.readFileSync), create directories (fs.mkdirSync), write local files (fs.writeFileSync), and perform network requests (fetch).
  • Sanitization: No input sanitization or validation of the prompt content is implemented before it is sent to the remote API.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 9, 2026, 01:07 AM