baoyu-compress-image
Pass
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: LOWCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- COMMAND_EXECUTION (LOW): The skill invokes system binaries including 'sips', 'cwebp', and 'convert' using the spawn API with argument arrays. This implementation is secure as it avoids shell interpretation, preventing command injection via malicious filenames.
- EXTERNAL_DOWNLOADS (LOW): The skill depends on the 'sharp' npm package and the 'bun' runtime, which are fetched from public registries. These are standard dependencies but are not within the explicitly trusted source list.
- SAFE: No evidence of malicious logic, prompt injection, or data exfiltration was found. While the documentation mentions an 'EXTEND.md' configuration override feature, the provided code does not implement the logic to load or execute it, thereby eliminating the risk of configuration-based injection in its current state.
Audit Metadata