Skills
skills/runwayml/skills/integrate-uploads/Gen Agent Trust Hub

integrate-uploads

Pass

Audited by Gen Agent Trust Hub on Mar 25, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill instructions and code examples demonstrate how to ingest untrusted user data (text prompts and files) and pass them to backend generation models, creating a surface for indirect prompt injection.
  • Ingestion points: User-controlled input via req.body.prompt (Express), formData.get('prompt') (Next.js), and Form(...) parameters (FastAPI) in SKILL.md.
  • Boundary markers: Absent. The examples do not show delimiters or instructions to the model to ignore potential commands embedded in the user prompt.
  • Capability inventory: The skill utilizes file system reads (fs.createReadStream, Path) and network POST operations (fetch, SDK calls) to external endpoints.
  • Sanitization: No validation, escaping, or sanitization of the user-provided text prompt is performed before interpolation into the generation request.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 25, 2026, 12:14 AM