tile-artist
Pass
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Communicates with OpenAI and Fal.ai APIs to generate and download tile textures based on design document palette entries.
- [CREDENTIALS_UNSAFE]: Accesses the
~/.all-skills/.envfile to retrieve FAL_KEY or OPENAI_API_KEY, which is a standard method for managing credentials within this skill's operational context. - [PROMPT_INJECTION]: Implements an indirect prompt injection surface via image generation prompts.
- Ingestion points: Reads tile descriptions, IDs, and colors from
game-state.json. - Boundary markers: No delimiters or instructions are used to separate user-provided descriptions from the static prompt template.
- Capability inventory: Performs network requests to AI APIs and writes processed image files to the local file system.
- Sanitization: No input validation or escaping is applied to the metadata interpolated into API prompts.
Audit Metadata