fal
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads generated image files from the official Fal.ai domain (fal.run) to the local /tmp directory. This is a core part of its intended functionality and targets a well-known service domain.
- [COMMAND_EXECUTION]: The skill executes shell commands using curl to make API requests and jq for processing JSON data. It demonstrates security best practices by using 'jq -Rs' to safely escape and sanitize user input before incorporating it into JSON payloads.
- [PROMPT_INJECTION]: No prompt injection or override patterns were found. The skill provides clear instructions for its intended use without attempting to bypass safety filters or reveal system prompts.
- [DATA_EXFILTRATION]: No unauthorized data access or exfiltration patterns were detected. Sensitive API tokens are managed via the standard vm0_secrets configuration, and network traffic is restricted to the legitimate API endpoints.
Audit Metadata