unsplash-image
Pass
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches images and metadata from Unsplash, a well-known image hosting service.
- [COMMAND_EXECUTION]: Invokes a local Python script to perform searches and process images.
- [PROMPT_INJECTION]: The skill processes metadata from an external API, which represents a surface for indirect prompt injection. (1) Ingestion points: Metadata from Unsplash API responses processed by the unsplash-search.py script. (2) Boundary markers: No delimiters or ignore-instruction warnings are specified for the processed content. (3) Capability inventory: Access to shell execution (Bash) and file system operations (Read/Write). (4) Sanitization: No sanitization or escaping of API data is mentioned in the documentation.
Audit Metadata