Skills
skills/richardanaya/agent-skills/generate-image/Gen Agent Trust Hub

generate-image

Pass

Audited by Gen Agent Trust Hub on Mar 29, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands using curl to interact with the FAL AI API. Furthermore, it encourages the agent to generate and execute "ad hoc python" scripts to handle a multi-step file upload process to external endpoints (fal.media).
  • [EXTERNAL_DOWNLOADS]: The instructions include URLs for example images hosted on Google Cloud Storage (storage.googleapis.com) to be used as reference inputs for image editing tasks.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. User-supplied text is interpolated directly into a JSON payload within a curl command ("prompt": "<prompt>") without any sanitization, validation, or protective boundary markers.
  • Ingestion points: The user-provided prompt is placed directly into the <prompt> placeholder in SKILL.md.
  • Boundary markers: None present to distinguish instructions from user data.
  • Capability inventory: The agent has the ability to execute shell commands (curl) and run dynamically generated Python scripts.
  • Sanitization: There is no evidence of input escaping or validation for the prompt data.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 29, 2026, 07:38 PM