uapi-post-image-svg

Pass

Audited by Gen Agent Trust Hub on Jul 9, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: The skill is a standard API wrapper for the UAPI platform. All external communication is directed to the service's official domain at uapis.cn, which is consistent with the skill's declared purpose.
  • [DATA_EXFILTRATION]: The skill sends user-provided SVG files to the external API endpoint https://uapis.cn/api/v1/image/svg. While this involves sending data to a third-party service, it is the primary and intended function of the skill and is clearly documented for the user.
  • [EXTERNAL_DOWNLOADS]: The skill establishes network connections to uapis.cn. No external code execution or script downloads from untrusted sources were found.
  • [CREDENTIALS_UNSAFE]: The skill provides instructions for users to provide their own UAPI Keys if prompted by the service, following standard authentication practices. No hardcoded secrets or sensitive local file accesses were detected.
  • [SAFE]: Analysis of the indirect prompt injection surface identifies that the skill ingests untrusted SVG data.
  • Ingestion points: Untrusted SVG content is accepted as a multipart request body in references/operations/post-image-svg.md.
  • Boundary markers: Absent; the skill relies on the agent's standard tool-handling for file uploads.
  • Capability inventory: Network POST request capability to the UAPI endpoint.
  • Sanitization: None specified for the SVG content, as it is processed by the external service's backend.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 9, 2026, 06:42 AM
Security Audit — agent-trust-hub — uapi-post-image-svg