image-generation
Fail
Audited by Gen Agent Trust Hub on May 6, 2026
Risk Level: HIGHDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The _load_image function in scripts/generate.py reads local files based on the image_url parameter without any path validation or restriction. This allows the agent to read arbitrary files from the host filesystem (e.g., credentials, configuration files) and transmit their contents to external AI provider APIs (such as OpenAI or Gemini) during image editing operations.
- [EXTERNAL_DOWNLOADS]: The script uses the requests library or urllib.request to fetch remote images from URLs provided in the image_url parameter.
- [COMMAND_EXECUTION]: The skill executes a Python script (scripts/generate.py) with JSON arguments provided by the agent. While the script itself is local, the inputs are derived from user prompts and include file system paths.
- [PROMPT_INJECTION]: The skill possesses a significant attack surface for indirect prompt injection. Untrusted data enters the agent context via the image_url parameter, which can point to remote content or local files. There are no boundary markers or instructions to ignore embedded commands in the processed data. The script has extensive capabilities including file reading, network GET/POST requests, and local filesystem writes. Finally, there is no sanitization or validation to ensure that the content being read is actually an image before it is transmitted to external APIs.
Recommendations
- AI detected serious security threats
Audit Metadata