oma-image
Warn
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill extensively executes external binaries and CLI tools via subprocesses, including
oma image generate,codex exec,gh api, and theagyCLI. - The implementation for the
antigravityvendor uses theagyCLI with the--dangerously-skip-permissionsflag. This flag is designed to bypass security and permission boundaries within the tool's agentic loop, increasing the risk if the underlying model is influenced by malicious instructions. - The
codexvendor implementation utilizescodex execto run instructions within a ChatGPT-connected environment. - [EXTERNAL_DOWNLOADS]: The skill fetches data from external third-party GitHub repositories (
YouMind-OpenLab/awesome-gpt-image-2andYouMind-OpenLab/awesome-nano-banana-pro-prompts) using the GitHub CLI (gh api). This content is used as a template for the agent's 'amplification' logic, which modifies user prompts before generation. - [PROMPT_INJECTION]: The skill exhibits an 'Indirect Prompt Injection' surface through its prompt amplification protocol described in
resources/prompt-tips.md. - Ingestion points: Untrusted markdown content is fetched from remote repositories via
gh apiand processed by the agent. - Boundary markers: There are no specific delimiters or instructions for the agent to ignore or sanitize embedded instructions within the fetched content.
- Capability inventory: The agent possesses powerful capabilities, including shell command execution (
oma,codex,agy), file system write access (saving images and manifests), and network access to vendor APIs. - Sanitization: The skill does not implement validation or sanitization for the remote content before using it to influence the final generation prompt.
Audit Metadata