transform-generate-image-with-transloadit
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill executes 'npx -y @transloadit/node', which downloads and runs code from the public npm registry at runtime without version pinning or manual verification.
- COMMAND_EXECUTION (LOW): Uses npx to run system commands; the -y flag is used to skip security prompts during package execution.
- PROMPT_INJECTION (LOW): The skill processes untrusted user data via the prompt parameter. (1) Ingestion point: The prompt argument in the shell command within SKILL.md. (2) Boundary markers: None present. (3) Capability: Sending data to the external Transloadit API and writing generated outputs to the local disk. (4) Sanitization: No escaping or validation is performed on the prompt input.
Audit Metadata