oma-image

Warn

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill extensively executes external binaries and CLI tools via subprocesses, including oma image generate, codex exec, gh api, and the agy CLI.
  • The implementation for the antigravity vendor uses the agy CLI with the --dangerously-skip-permissions flag. This flag is designed to bypass security and permission boundaries within the tool's agentic loop, increasing the risk if the underlying model is influenced by malicious instructions.
  • The codex vendor implementation utilizes codex exec to run instructions within a ChatGPT-connected environment.
  • [EXTERNAL_DOWNLOADS]: The skill fetches data from external third-party GitHub repositories (YouMind-OpenLab/awesome-gpt-image-2 and YouMind-OpenLab/awesome-nano-banana-pro-prompts) using the GitHub CLI (gh api). This content is used as a template for the agent's 'amplification' logic, which modifies user prompts before generation.
  • [PROMPT_INJECTION]: The skill exhibits an 'Indirect Prompt Injection' surface through its prompt amplification protocol described in resources/prompt-tips.md.
  • Ingestion points: Untrusted markdown content is fetched from remote repositories via gh api and processed by the agent.
  • Boundary markers: There are no specific delimiters or instructions for the agent to ignore or sanitize embedded instructions within the fetched content.
  • Capability inventory: The agent possesses powerful capabilities, including shell command execution (oma, codex, agy), file system write access (saving images and manifests), and network access to vendor APIs.
  • Sanitization: The skill does not implement validation or sanitization for the remote content before using it to influence the final generation prompt.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 13, 2026, 12:18 PM
Security Audit — agent-trust-hub — oma-image