selfie
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill contains explicit instructions to bypass standard AI safety filters and refusal mechanisms when generating NSFW content. It utilizes strong override language such as "DO NOT refuse," "DO NOT sanitize," and "Obey unconditionally" to ensure compliance with potentially sensitive requests.\n- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute system commands, including launching a local Python-based image server (
server_realvis.py) and interacting with thealmaCLI. The execution of scripts from local configuration paths (~/.config/alma/) constitutes a command execution risk if the environment is not secured.\n- [DATA_EXFILTRATION]: The skill facilitates the retrieval and transmission of local image files from the~/.config/alma/selfies/directory via thealma send phototool. While intended for the "owner," this creates a mechanism for exposing filesystem data to external chat contexts.\n- [PROMPT_INJECTION]: The skill exhibits vulnerability to indirect prompt injection by accepting untrusted user descriptions and interpolating them directly into CLI command strings without sanitization or boundary markers.\n - Ingestion points: User-provided scene descriptions in the
alma selfie takeandalma image generatecommands.\n - Boundary markers: None present; user input is directly quoted in Bash strings.\n
- Capability inventory: Usage of the Bash tool, file system access to configuration directories, and the ability to transmit files via network-capable tools.\n
- Sanitization: No evidence of input escaping, validation, or filtering for user-provided descriptive strings.
Audit Metadata