vision-bench

Pass

Audited by Gen Agent Trust Hub on May 2, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: Local execution of decryption tools.
  • Evidence: The vault.py script executes the sops binary via subprocess.run to decrypt API keys stored in secrets.enc.yaml. The command is restricted to a hardcoded binary and file path.
  • [EXTERNAL_DOWNLOADS]: Integration with official AI provider endpoints.
  • Evidence: judge.py performs network requests to established services including OpenAI, Anthropic, Google Gemini, Mistral, and OpenRouter to perform image evaluations.
  • [PROMPT_INJECTION]: Indirect prompt injection surface via visual media.
  • Ingestion points: Image files provided as CLI arguments in bench.py and processed in judge.py.
  • Boundary markers: The model instructions in judge.py define the scoring task but do not include specific delimiters or instructions to ignore potential visual prompts embedded within images.
  • Capability inventory: The skill performs network requests to LLM providers and file writes for report generation.
  • Sanitization: No sanitization or filtering of image content (e.g., OCR text detection) is performed before evaluation.
  • [CREDENTIALS_UNSAFE]: Proper management of sensitive API keys.
  • Evidence: The skill uses SOPS for encrypted credential storage and supports environment variables, following industry best practices for secret management.
Audit Metadata
Risk Level
SAFE
Analyzed
May 2, 2026, 02:08 PM
Security Audit — agent-trust-hub — vision-bench