google-gemini-media
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- Unverifiable Dependencies & Remote Code Execution (SAFE): The skill utilizes official, trusted libraries including
@google/genaifor Node.js andgoogle-genaifor Python. No suspicious or unversioned third-party packages are requested. There are no patterns of piping remote content into a shell. - Data Exposure & Exfiltration (SAFE): All network requests in the examples are directed to the official Google API domain (
generativelanguage.googleapis.com). The skill correctly demonstrates using environment variables for credentials rather than hardcoding them. - Indirect Prompt Injection (SAFE): While the skill is designed to process external media (images, audio, video) which is an ingestion surface for untrusted data, the provided examples are for development and testing purposes. The code does not implement unsafe downstream actions that would be exploitable through such injections.
- Persistence & Privilege Escalation (SAFE): The code consists strictly of API interaction scripts and file-saving operations. It does not attempt to modify system configurations, shell profiles, or acquire elevated permissions.
Audit Metadata