Skills
skills/affaan-m/everything-claude-code/fal-ai-media/Gen Agent Trust Hub

fal-ai-media

Pass

Audited by Gen Agent Trust Hub on May 12, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill configuration downloads and executes the fal-ai-mcp-server package using npx. This is an expected component for the functionality provided and originates from the official registry for the service.
  • [COMMAND_EXECUTION]: The skill utilizes npx to launch the MCP server as part of its setup instructions.
  • [DATA_EXFILTRATION]: The skill includes code snippets that send data to api.elevenlabs.io. This is a legitimate use of a well-known service for text-to-speech synthesis and does not involve the transfer of sensitive local files.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface due to the following factors:
  • Ingestion points: The skill processes content from external media URLs (image_url, video_url in SKILL.md) and local files via the upload tool.
  • Boundary markers: The instructions lack explicit delimiters or warnings to the model to ignore potential instructions embedded within the processed media or its metadata.
  • Capability inventory: The skill has access to network operations (requests.post), file uploading, and generative tools.
  • Sanitization: There is no mention of content validation or sanitization for data retrieved from external sources before processing.
Audit Metadata
Risk Level
SAFE
Analyzed
May 12, 2026, 06:23 AM