image-skill
Pass
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill is designed to be executed or installed via npm (e.g.,
npx -y image-skill@latest). All components are retrieved from the official npm registry or the vendor's public GitHub repository. - [COMMAND_EXECUTION]: The skill operates as a CLI tool. It provides a comprehensive set of commands for media generation, job management, and payment processing, which the agent is instructed to run in its environment.
- [DATA_EXFILTRATION]: As a hosted service, the tool transmits user-provided prompts and media metadata to the vendor's API (
api.image-skill.com). This is the core purpose of the skill and is explicitly documented throughout the instructions. - [SAFE]: The skill demonstrates a strong security posture by using a single-file, dependency-free Node.js runtime, which eliminates supply-chain vulnerabilities. It also provides explicit guidance on secure credential management, instructing agents to use restricted file permissions (
0600) and avoid passing secrets via command-line arguments.
Audit Metadata