imagen
Warn
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFENO_CODEPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill's installation source 'sanjay3290/ai-skills' is not on the trusted repository list, introducing a potential supply chain vulnerability.
- COMMAND_EXECUTION (LOW): The skill invokes 'scripts/generate_image.py', a local script that could perform unauthorized actions if compromised.
- CREDENTIALS_UNSAFE (LOW): Instructions to store 'GEMINI_API_KEY' in shell configuration files (~/.zshrc) expose sensitive keys in plaintext.
- NO_CODE (SAFE): The core Python script is absent from the provided files, preventing a technical analysis of its network and file operations.
- PROMPT_INJECTION (LOW): The skill ingests untrusted user input for API processing without documented sanitization. Evidence Chain: (1) Ingestion: User image prompts. (2) Boundaries: Absent. (3) Capabilities: Network API calls and file writes. (4) Sanitization: None documented.
Audit Metadata