The Agent Skills Directory

Prompt Injection (LOW): The skill is vulnerable to indirect prompt injection because it ingests untrusted user input to form the image generation prompt.
Ingestion points: User-provided text strings are passed via CLI arguments to imagen.sh and then to generate.py.
Boundary markers: Absent; user input is interpolated directly into the API request content without delimiters or secondary instructions.
Capability inventory: generate.py performs network requests to the Google GenAI API and writes image files to the local filesystem (./images/). imagen.sh executes the security utility and spawns a Python process.
Sanitization: No local sanitization or validation of the prompt is performed; the skill relies entirely on the safety filters of the upstream Imagen API.
Data Exposure & Exfiltration (SAFE): The skill utilizes the macOS Keychain via the security command to retrieve the gemini-api-key. This is a recommended security practice for managing secrets in a CLI context and prevents hardcoding credentials in configuration files.
Command Execution (SAFE): The imagen.sh script executes a fixed Python path and a specific system utility (security). It does not provide a mechanism for arbitrary command injection.

picture