subtoken-imagegen
Pass
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: SAFEDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The wrapper script
scripts/generate_image.pyincludes a mechanism to read local files via the--input-imageparameter and transmit the content to an external API endpoint (subtoken.vip). While this is the intended workflow for image editing, it creates a surface where a malicious actor or an injected instruction could cause the agent to exfiltrate sensitive files by passing their paths to the script.\n- [EXTERNAL_DOWNLOADS]: The skill performs outbound network requests tohttps://subtoken.vip/v1to interact with the image API and downloads binary data from generated URLs to save images to the local filesystem.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) due to the processing of external API data.\n - Ingestion points: The script
scripts/generate_image.pyingests JSON responses and image binary data from the remotesubtoken.vipAPI.\n - Boundary markers: There are no explicit delimiters or instructions to ignore embedded commands within the processed API data (e.g., the
revised_promptfield).\n - Capability inventory: The skill allows for local file writing and arbitrary outbound network requests via the Python script.\n
- Sanitization: The skill does not sanitize text returned by the API before it is potentially used in subsequent agent turns.
Audit Metadata