gemini-imagegen
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its various image processing scripts.
- Ingestion points: User-supplied text prompts and instructions in
scripts/generate_image.py,scripts/edit_image.py,scripts/compose_images.py, andscripts/multi_turn_chat.pyare passed directly to the multimodal model. - Boundary markers: No delimiters or system instructions are used to separate user-provided content from the model's primary instructions.
- Capability inventory: The agent has the ability to make external network requests to the Gemini API and write files to the local file system.
- Sanitization: There is no evidence of input validation or sanitization for the provided prompts.
- [COMMAND_EXECUTION]: The interactive chat script
scripts/multi_turn_chat.pycontains a path traversal vulnerability. - The
/savecommand takes a user-provided filename and concatenates it with the output directory path (self.output_dir / filename) without validation. - Because
pathlib.Pathjoin logic allows absolute paths or traversal sequences to override the base directory, an attacker can overwrite system files using sequences like../../or by providing an absolute path.
Audit Metadata