Skills
skills/wvlvik/toy-skills/jimeng-api-image-gen/Gen Agent Trust Hub

jimeng-api-image-gen

Warn

Audited by Gen Agent Trust Hub on Feb 20, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • COMMAND_EXECUTION (MEDIUM): Documentation instructs the agent to run scripts with user prompts as direct CLI arguments (e.g., scripts/generate_image.py "PROMPT"). This pattern is vulnerable to command injection if the agent does not apply shell-safe escaping to the user-provided prompt, allowing an attacker to execute arbitrary commands by appending them to a prompt string.
  • CREDENTIALS_UNSAFE (LOW): The skill requires VOLC_ACCESSKEY and VOLC_SECRETKEY environment variables. While necessary for API authentication, this requirement exposes sensitive secrets to the process environment.
  • EXTERNAL_DOWNLOADS (SAFE): The skill establishes connections to the official Volcengine API endpoint at https://visual.volcengineapi.com.
  • PROMPT_INJECTION (LOW): Rule files such as .antigravityrules and .cursorrules contain imperative language aimed at overriding default agent output behavior to ensure specific markdown image formatting.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 20, 2026, 05:46 PM