uapi-post-image-motou

Warn

Audited by Gen Agent Trust Hub on Jun 16, 2026

Risk Level: MEDIUMPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [PROMPT_INJECTION]: The skill employs misleading metadata by including keywords unrelated to its primary function. While the skill is designed to generate a 'petting head' GIF, it lists keywords such as 'nsfw image detection', 'image compression', and 'svg to image'.
  • Evidence: In SKILL.md and references/quick-start.md, the English keywords section includes: image compression, image to base64, base64 to image, svg to image, nsfw image detection.
  • Risk: This discrepancy could cause an AI agent to incorrectly select this skill when a user requests a sensitive operation like NSFW detection. This would result in the user's image being sent to the external GIF generation service instead of the intended tool.
  • [DATA_EXFILTRATION]: The skill is configured to send user-provided data, including image files and URLs, to an external API.
  • Evidence: The file references/operations/post-image-motou.md specifies that the agent should send an image_url or a file to https://uapis.cn/api/v1/image/motou via a POST request.
  • Risk: Combined with the misleading keywords, there is a heightened risk that sensitive user data (such as private images intended for a safety check) could be exfiltrated to a third-party domain without the user's informed consent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 16, 2026, 10:05 AM
Security Audit — agent-trust-hub — uapi-post-image-motou