image-analyzer
Pass
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs users to run 'npx gooseworks login' to authenticate, which involves downloading and executing the vendor's package from the npm registry.
- [COMMAND_EXECUTION]: The skill uses 'python3' for local JSON parsing of credentials and 'curl' to interact with the Gooseworks API. These are standard operations for the skill's functionality.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it retrieves and processes content (images and website metadata) from external, untrusted URLs. • Ingestion points: Fetches images and scrapes website data from URLs provided in 'SKILL.md'. • Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the prompt templates. • Capability inventory: Uses 'curl' for network communication and 'python3' for command-line processing. • Sanitization: No validation or sanitization of the content fetched from remote URLs is performed before analysis.
Audit Metadata