wechat-safe-science-images
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill retrieves images and metadata from Wikimedia Commons (commons.wikimedia.org). This is a well-known and trusted repository for public domain and Creative Commons media resources.
- [COMMAND_EXECUTION]: The skill uses a provided Node.js script (scripts/commons_fetch.mjs) to perform search and download operations. The script utilizes standard built-in modules for file system and network access.
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface: The skill processes external data that could be influenced by a third party.
- Ingestion points: Metadata such as image titles, artist names, and credit strings are fetched from the Wikimedia Commons API in scripts/commons_fetch.mjs.
- Boundary markers: The skill does not explicitly use delimiters or instructions to ignore embedded commands within the fetched metadata.
- Capability inventory: The skill possesses network access (fetch) and file-system write permissions (fs.writeFileSync) across its operations.
- Sanitization: The skill implements license validation against an allowlist and uses a safeName function to sanitize filenames, reducing the risk of path traversal or illegal character issues.
Audit Metadata