vision-bench
Pass
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Local execution of decryption tools.
- Evidence: The
vault.pyscript executes thesopsbinary viasubprocess.runto decrypt API keys stored insecrets.enc.yaml. The command is restricted to a hardcoded binary and file path. - [EXTERNAL_DOWNLOADS]: Integration with official AI provider endpoints.
- Evidence:
judge.pyperforms network requests to established services including OpenAI, Anthropic, Google Gemini, Mistral, and OpenRouter to perform image evaluations. - [PROMPT_INJECTION]: Indirect prompt injection surface via visual media.
- Ingestion points: Image files provided as CLI arguments in
bench.pyand processed injudge.py. - Boundary markers: The model instructions in
judge.pydefine the scoring task but do not include specific delimiters or instructions to ignore potential visual prompts embedded within images. - Capability inventory: The skill performs network requests to LLM providers and file writes for report generation.
- Sanitization: No sanitization or filtering of image content (e.g., OCR text detection) is performed before evaluation.
- [CREDENTIALS_UNSAFE]: Proper management of sensitive API keys.
- Evidence: The skill uses SOPS for encrypted credential storage and supports environment variables, following industry best practices for secret management.
Audit Metadata