Skills
skills/microlinkhq/skills/unavatar-api/Gen Agent Trust Hub

unavatar-api

Pass

Audited by Gen Agent Trust Hub on Apr 14, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill documentation describes building API requests by directly interpolating user-supplied keys (usernames, emails, or domains) and parameters (fallback URLs) into the unavatar.io endpoint. This presents a surface for indirect prompt injection where a maliciously crafted input could include URL control characters or extra query parameters to manipulate the request behavior.
  • Ingestion points: /:provider/:key path segments and the fallback query parameter in SKILL.md.
  • Boundary markers: Absent. No delimiters or instructions for input validation are provided.
  • Capability inventory: The skill documentation describes making network requests via curl to external endpoints.
  • Sanitization: None described. The skill assumes user-provided strings are safe for URL construction.
  • [COMMAND_EXECUTION]: The documentation provides multiple examples of curl commands to interact with the API, check key usage, and rotate keys. While intended as documentation, these templates could lead to command injection if an agent executes them using unsanitized user inputs.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 14, 2026, 05:41 PM