baoyu-compress-image
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The script executes external image processing binaries including
sips,cwebp, andconvert. These commands are executed usingchild_process.spawnwith arguments passed as an array, which prevents command injection vulnerabilities by ensuring user-provided filenames are not executed as shell code. - [EXTERNAL_DOWNLOADS]: The skill utilizes
npxand dynamic imports for the well-knownsharplibrary. This may involve downloading the package or its pre-compiled binaries from official registries, which is standard behavior for Node.js image processing tools. - [PROMPT_INJECTION]: The skill ingests file paths and directory names from the agent's environment. It mitigates risks by validating input parameters (such as quality and format) and using secure path resolution methods to manage file system access during the compression process.
Audit Metadata