Skills
skills/merit-systems/agentcash-skills/media-generation/Gen Agent Trust Hub

media-generation

Pass

Audited by Gen Agent Trust Hub on Apr 19, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill requires the installation and use of the agentcash package from the NPM registry to facilitate API requests and payment handling.
  • [COMMAND_EXECUTION]: Shell commands are executed via npx agentcash@latest and curl to interact with remote endpoints and perform binary file uploads.
  • [DATA_EXFILTRATION]: User-provided prompts and local image files are transmitted to external services including stablestudio.dev and Vercel Blob storage for processing and hosting.
  • [PROMPT_INJECTION]: The skill demonstrates an indirect prompt injection surface by interpolating untrusted user prompts directly into API request bodies without explicit sanitization or boundary markers. 1. Ingestion points: User-provided prompts in the prompt field of generation and edit requests (SKILL.md). 2. Boundary markers: None identified in the provided instructions. 3. Capability inventory: Network communication and file transmission via the agentcash CLI and curl (SKILL.md, rules/uploads.md). 4. Sanitization: No sanitization or validation of user-provided prompt content is specified.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 19, 2026, 11:23 AM