og-card
Pass
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS] (SAFE): The skill requires standard Node.js packages (@vercel/og, satori, sharp). These are well-maintained and reputable libraries for image generation and processing.
- [COMMAND_EXECUTION] (SAFE): The skill executes a local TypeScript script (generate-card.ts) to render images, which is standard and expected behavior for this type of utility.
- [DATA_EXFILTRATION] (SAFE): No unauthorized network operations or access to sensitive local files were detected. The skill reads a local brand-profile.yaml for legitimate configuration purposes.
- [INDIRECT_PROMPT_INJECTION] (LOW): Risk surface detected for indirect prompt injection. 1. Ingestion points: User-provided arguments such as [title], [author], and [version] from the command line, plus brand-profile.yaml. 2. Boundary markers: Absent. 3. Capability inventory: Execution of generate-card.ts and image processing via sharp. 4. Sanitization: Absent. The severity is LOW because the output is a static image file (PNG), which does not present a path for downstream instruction execution.
Audit Metadata