Skills
NYC
skills/qodex-ai/ai-agent-skills/media-transformation/Gen Agent Trust Hub

media-transformation

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION] (HIGH): The skill explicitly instructs the agent to execute a binary located at .claude/utils/toon/zig-out/bin/toon.
  • Evidence: Instruction in Method 1: Use Zig Encoder directs the agent to run .claude/utils/toon/zig-out/bin/toon encode data.json.
  • Risk: There is no mechanism to verify the integrity or safety of this binary, which could perform arbitrary actions on the host system.
  • [PROMPT_INJECTION] (MEDIUM): The skill uses authoritative and coercive language ('AGGRESSIVE MODE', 'TOON ALL DAY', 'Use automatically', 'No long explanations needed') to override the agent's default decision-making regarding data formatting.
  • Evidence: The 'Purpose' and 'When to Use' sections use 'AGGRESSIVE' markers to force compliance over standard JSON/text formatting.
  • [REMOTE_CODE_EXECUTION] (MEDIUM): References to external repositories and sites not on the trusted list suggest the retrieval of tools or specifications from unverified sources.
  • Evidence: References to https://github.com/toon-format/spec and https://toonformat.dev. The toon-format organization is not a trusted entity.
  • [DATA_EXPOSURE & EXFILTRATION] (MEDIUM): The tool is designed to process sensitive data types (API responses, Database query results, Financial transactions).
  • Evidence: Criteria for use include 'API responses', 'Database query results', and 'transactions'.
  • Risk: Processing high-value data through an unverified binary (toon) creates a risk of data capture or leakage.
  • [INDIRECT_PROMPT_INJECTION] (HIGH): The skill is a primary ingestion point for untrusted data (RAG pipelines, API responses).
  • Evidence Chain:
  • Ingestion points: Processes data.json sourced from APIs, Databases, and RAG pipelines.
  • Boundary markers: None specified for the formatting process.
  • Capability inventory: Execution of subprocess binary, file reading (data.json), and potentially network access depending on what the Zig binary does.
  • Sanitization: No sanitization logic is described for the input data before it is passed to the encoder.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 12:04 AM