Skills
skills/netease-youdao/lobsterai/seedream/Gen Agent Trust Hub

seedream

Warn

Audited by Gen Agent Trust Hub on Mar 2, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The wrapper scripts generate-image.sh and generate-image.ps1 implement an argument expansion feature where any parameter prefixed with @ is treated as a file path. The scripts read the entire content of the specified file and inject it as a command-line argument for the Node.js process. This behavior lacks any validation or restriction, potentially allowing the exposure of sensitive files such as SSH keys or environment configurations if used maliciously.
  • [DATA_EXFILTRATION]: The processImagePath function in generate_image.js reads local file paths provided via the --image parameter and converts them to Base64 data for transmission to the Volcengine API. The function does not verify if the file is an image or if the path is within a safe directory, creating a vector for reading and exfiltrating arbitrary system files through the image generation request.
  • [COMMAND_EXECUTION]: The skill uses shell and PowerShell entry points to dynamically locate and execute a Node.js runtime. This includes support for loading a custom runtime specified via the LOBSTERAI_ELECTRON_PATH environment variable, which influences how the core logic is executed.
  • [EXTERNAL_DOWNLOADS]: The skill communicates with Volcengine's Ark API (ark.cn-beijing.volces.com) via HTTPS to process requests and downloads resulting image files to the local system. These interactions are consistent with the skill's primary purpose and target well-known cloud services.
  • [PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection by processing unvalidated user inputs and external file contents.
  • Ingestion points: Data is ingested through the --prompt parameter, the contents of files read via the @ syntax in wrapper scripts, and image data processed by generate_image.js.
  • Boundary markers: No delimiters or system-level instructions are used to distinguish user-provided content from the agent's internal logic.
  • Capability inventory: The skill possesses the capability to read local files, execute system commands via wrappers, and perform network requests to an external API.
  • Sanitization: There is no evidence of content filtering, path sanitization, or input validation before data is processed or transmitted.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 2, 2026, 10:26 PM