baoyu-compress-image
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- COMMAND_EXECUTION (SAFE): The script executes system-level image processing tools such as sips, cwebp, and convert. These calls are made using child_process.spawn with argument arrays, which prevents shell injection.
- DATA_EXFILTRATION (SAFE): The script performs file system operations including reading, writing, and deleting files. These actions are limited to the user-specified input paths and are necessary for the primary function of image optimization. No unauthorized data access or network transmission was detected.
- EXTERNAL_DOWNLOADS (SAFE): The skill utilizes npx to run the Bun runtime and dynamically imports the sharp library. These are standard dependencies for the task and originate from trusted registries.
- INDIRECT_PROMPT_INJECTION (SAFE): The skill ingests untrusted file paths. Evidence Chain: 1. Ingestion point: User-provided input path via CLI arguments. 2. Boundary markers: Supported extension check (SUPPORTED_EXTS) and verification of file existence. 3. Capability inventory: subprocess spawning (spawn), file deletion (unlinkSync), and file moving (renameSync). 4. Sanitization: Path resolution and strict extension filtering.
Audit Metadata