recommend-image
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted data from remote GitHub repositories via delegation to the
/detect-projectskill. This creates a surface for indirect prompt injection where instructions hidden in a repository's files or structure could attempt to influence the agent's decision-making or state. - Ingestion points: External GitHub URLs provided to the
/recommend-imagecommand. - Boundary markers: Absent. No delimiters or warnings are used to isolate content ingested during the repository analysis phase.
- Capability inventory: Shell command execution via
skopeo. - Sanitization: Absent. The skill does not explicitly describe validation or sanitization of the project attributes (language, framework) before they are used in logic or displayed.
- [COMMAND_EXECUTION]: The skill invokes the
skopeocommand-line utility to perform image validation and metadata retrieval. The commands use parameters derived from the project detection phase. If the detection results are influenced by a malicious repository, there is a risk of command argument injection. - Evidence: Execution of
skopeo inspect docker://registry.access.redhat.com/ubi9/[candidate-image]wherecandidate-imageis a dynamic variable.
Audit Metadata