Art
Fail
Audited by Gen Agent Trust Hub on Jun 30, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Potential shell command injection in
Tools/Generate.ts. TheaddBackgroundColorfunction usesexecAsyncto execute amagickshell command with unescaped variables for input and output paths. A maliciously crafted filename could be used to execute arbitrary shell commands on the host. - [COMMAND_EXECUTION]: Risk of shell injection in notification instructions. Instructions in
SKILL.mdand various workflows (e.g.,Workflows/AdHocYouTubeThumbnail.md) command the agent to runcurlto a local notification service using unescaped placeholders for workflow names and actions. This pattern is vulnerable to injection if the agent populates these fields with untrusted content. - [PROMPT_INJECTION]: Susceptibility to indirect prompt injection. The skill ingests untrusted data from articles and URLs to extract information for generating AI prompts. Ingestion points:
Tools/GeneratePrompt.ts(file input) andWorkflows/AdHocYouTubeThumbnail.md(content analysis). Boundary markers: None identified. Capability inventory: Shell execution ofmagickandcurl, and network access to AI APIs using stored credentials. Sanitization: No input validation is performed on the ingested content before interpolation into model prompts. - [COMMAND_EXECUTION]: Extensive reliance on system binaries. The skill frequently executes external tools like
magick,rembg, andcwebp. This is functional but represents a significant attack surface. - [EXTERNAL_DOWNLOADS]: Standard network requests to trusted AI services (OpenAI, Google, Replicate) and Discord. These operations are consistent with the skill's stated purpose.
Recommendations
- AI detected serious security threats
Audit Metadata