qiaomu-mondo-poster-design
Warn
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructions specify installation via
npx skills add joeseesun/qiaomu-mondo-poster-design. This fetches code from a third-party source that is not verified as a well-known service or trusted organization. - [COMMAND_EXECUTION]: The documentation includes shell commands for environment configuration and Python scripts for batch image processing. These scripts use the
osandPILmodules to manage file paths and save generated images locally. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by processing untrusted data.
- Ingestion points: User-provided strings in
promptand external image files viainput_image_path(SKILL.md). - Boundary markers: None identified in the prompt interpolation logic.
- Capability inventory: The skill performs file system writes (
img.save) and interacts with external LLM APIs (OpenAI/Anthropic) to generate and optimize prompts. - Sanitization: No validation or sanitization of user input is documented before it is passed to the image generation or prompt optimization workflows.
Audit Metadata