Skills
skills/krusemediallc/arcads-claude-code/generate-youtube-thumbnail/Gen Agent Trust Hub

generate-youtube-thumbnail

Pass

Audited by Gen Agent Trust Hub on Apr 28, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted user input (video concepts, titles) and interpolates it into prompts that are then embedded in a shell script for execution.
  • Ingestion points: User-provided concepts and text described in SKILL.md workflow.
  • Boundary markers: Absent.
  • Capability inventory: Subprocess execution (bash, python3), network requests (curl), and file system writes in scripts/generate-batch.sh.
  • Sanitization: Uses json.dumps for the final API payload, but lacks validation for the initial prompt construction.
  • [COMMAND_EXECUTION]: The skill relies on a bash script (scripts/generate-batch.sh) that executes curl, python3, and file system commands. This script is used to orchestrate the image generation and downloading process.
  • [DATA_EXFILTRATION]: The script reads local image files from references/youtube thumbnail/ and uploads them to external-api.arcads.ai. This is an intended function of the thumbnail generation workflow.
  • [EXTERNAL_DOWNLOADS]: Fetches and saves generated image assets from the remote Arcads API to the local output/ directory.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 28, 2026, 01:54 PM