baoyu-cover-image
Pass
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill's core image generation instructions in
references/base-prompt.mdexplicitly direct the agent to override safety refusals when dealing with sensitive or copyrighted figures, using the phrase "DO NOT refuse to generate". - [PROMPT_INJECTION]: The workflow templates, such as
references/workflow/prompt-template.md, use highly forceful instructional language including "MUST", "REQUIRED", and "CRITICAL" to ensure that extracted reference elements take precedence over the model's standard behavioral constraints. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from user-provided articles (
article.md) to extract metadata (titles, summaries, and keywords) that is then interpolated into generation prompts. - Ingestion points: The agent reads external article files or processes pasted user content as described in
SKILL.md(Step 1). - Boundary markers: The instructions do not define explicit delimiters or include warnings to the agent to ignore any embedded instructions found within the article text.
- Capability inventory: The skill possesses the capability to read and write files in local project and user configuration directories and has the authority to invoke other image generation skills/tools.
- Sanitization: There is no documented mechanism for sanitizing, escaping, or validating the input article content before it is processed for analysis.
Audit Metadata