aliyun-image
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill follows security best practices by using environment variables (
DASHSCOPE_API_KEY) for API authentication instead of hardcoding sensitive credentials.\n- [SAFE]: Network operations are directed exclusively to well-known technology service domains associated with Alibaba Cloud (dashscope.aliyuncs.comanddashscope-intl.aliyuncs.com).\n- [SAFE]: The Python client inscripts/client.pyincludes standard file system operations (reading local images and downloading generated files) that are necessary for its intended functionality.\n- [PROMPT_INJECTION]: The skill has an indirect prompt injection surface as it processes user-provided text prompts and external image URLs.\n - Ingestion points: Text prompts and image URLs processed in
scripts/client.pyandSKILL.md.\n - Boundary markers: None identified in the prompt templates.\n
- Capability inventory: Includes network requests to Aliyun APIs and file system read/write operations in
scripts/client.py.\n - Sanitization: Content is passed to the API without client-side sanitization, which is standard for image generation tools.
Audit Metadata