Skills
skills/spritecook/skills/spritecook-generate-sprites/Gen Agent Trust Hub

spritecook-generate-sprites

Warn

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • EXTERNAL_DOWNLOADS (MEDIUM): The skill instructs the agent to download assets from a dynamic 'pixel_url' provided by the spritecook.ai service. This domain is not included in the Trusted External Sources list, making the content unverifiable.
  • COMMAND_EXECUTION (LOW): The skill provides functional command-line snippets using 'curl' and 'Invoke-WebRequest' for the agent to download and save files. Automated execution of these commands with dynamic URLs poses a surface-level risk.
  • INDIRECT_PROMPT_INJECTION (LOW): The skill ingests untrusted data in the form of URLs from a third-party tool output. Evidence Chain: 1. Ingestion points: 'pixel_url' parameter in 'generate_game_art' response. 2. Boundary markers: Absent; the agent is told to use the URL directly. 3. Capability inventory: Subprocess calls via shell (curl/PowerShell) to write files to the local asset directory. 4. Sanitization: Absent; the skill does not specify validation or filtering of the returned URL before usage.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 17, 2026, 06:15 PM