image-remove-background
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (LOW): The local provider downloads a pre-trained model (Xenova/modnet) from Hugging Face (approx. 25MB) on first use. Hugging Face is a trusted organization, so this is considered a standard operational requirement.
- CREDENTIALS_UNSAFE (SAFE): The skill requires API keys for cloud providers (FAL_API_KEY, REPLICATE_API_TOKEN) but correctly instructs users to use environment variables rather than hardcoding secrets.
- PROMPT_INJECTION (LOW): The skill represents an indirect prompt injection surface as it ingests images from external URLs or local paths. Evidence Chain: 1. Ingestion points: --in parameter in SKILL.md. 2. Boundary markers: Absent. 3. Capability inventory: Image isolation and transformation. 4. Sanitization: Not specified in documentation.
Audit Metadata