volcengine-ark-image-generator
Pass
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill implements secure credential management by instructing users to store API keys in a local configuration file (~/.config/flc1125/...) rather than hardcoding them or passing them through insecure channels.
- [SAFE]: The bundled execution script (
scripts/generate-image.mjs) contains robust path validation that ensures all file output is restricted to the current workspace, effectively preventing path traversal or arbitrary file write attacks. - [SAFE]: Network activity is restricted to the official Volcengine Ark API endpoint (volces.com), which is a recognized and well-known technology service.
- [SAFE]: The script includes sensitive data redaction logic that filters API keys, local image bytes, and signed provider URLs from console output to prevent accidental credential or data exposure in logs.
- [SAFE]: The skill relies exclusively on Node.js built-in modules (fs, os, path) and has no third-party dependencies, significantly reducing the supply chain risk profile.
Audit Metadata