pexels-media
Pass
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches media and metadata from Pexels' official domains (api.pexels.com, images.pexels.com, and videos.pexels.com).
- [COMMAND_EXECUTION]: Uses system utilities curl and jq to perform network operations, parse JSON responses, and write local files.
- [PROMPT_INJECTION]: The skill processes untrusted metadata from the Pexels API, which constitutes an indirect prompt injection surface.
- Ingestion points: API response content from Pexels (containing photographer names, alt text, and URLs) is processed in SKILL.md.
- Boundary markers: None present; the skill does not use delimiters or instructions to ignore potential commands embedded within the API data.
- Capability inventory: The skill possesses file writing capabilities (via jq) and network access (via curl).
- Sanitization: Employs jq for processing, which provides structural validation and string escaping for the generated JSON metadata files.
Audit Metadata