image-generation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill possesses a significant attack surface by ingesting user-provided image descriptions and processing them through a workflow that involves shell tool execution and network communication.
- Ingestion Points: User requests for text-to-image generation or edits (SKILL.md).
- Boundary Markers: Absent. No instructions are provided to sanitize user input or wrap prompts in delimiters to prevent them from being interpreted as commands.
- Capability Inventory: Network requests to Gemini API; shell tool execution for running scripts/commands (SKILL.md).
- Sanitization: Absent. There is no logic mentioned to escape user strings before they are used in API calls or shell commands.
- Data Exposure & Exfiltration (MEDIUM): The skill explicitly instructs the agent to access the
.envfile to retrieve theGEMINI_API_KEY. While common for development, this patterns creates a risk of exposing other sensitive secrets stored in the same file if the agent is manipulated via prompt injection. - Command Execution (HIGH): The skill encourages the use of a 'shell tool' to run generation tasks with long timeouts. If the agent interpolates user-supplied text directly into these shell commands (e.g., as script arguments), it allows for arbitrary command injection.
Recommendations
- AI detected serious security threats
Audit Metadata