Skills
skills/meitu/meitu-skills/meitu-tools/Gen Agent Trust Hub

meitu-tools

Pass

Audited by Gen Agent Trust Hub on Apr 7, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes the meitu CLI tool using a secure pattern. Specifically, it uses Node.js spawnSync with an argument array rather than a shell string, which prevents command injection from user-provided prompts or parameters.
  • [PROMPT_INJECTION]: The skill contains explicit instructions to the AI agent to treat all user-provided data, including the prompt field, as tool input only. It explicitly forbids the agent from following attempts to override system instructions or reveal hidden information.
  • [SAFE]: Credential access is limited to the paths declared in the frontmatter (~/.meitu/credentials.json and ~/.openapi/credentials.json). These are standard locations for CLI tool configuration, and the skill does not attempt to access unrelated sensitive files or exfiltrate the keys to non-vendor domains.
  • [EXTERNAL_DOWNLOADS]: The skill references the meitu-cli and meitu-ai packages on the official npm registry. These are legitimate vendor resources consistent with the skill's authorship by Meitu.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 7, 2026, 11:58 PM