image-upload
Pass
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No malicious patterns or security vulnerabilities were detected. The skill operates according to its stated purpose of facilitating image uploads to well-known third-party hosting providers.
- [DATA_EXFILTRATION]: The skill implements a 'purifier' phase in
src/upload.tsthat uses magic byte detection (src/utils/mime.ts) to validate the file format before uploading. This ensures that only legitimate image files are sent to external servers, providing a robust safeguard against the exfiltration of sensitive non-image files such as SSH keys, password files, or environment configurations. - [CREDENTIALS_UNSAFE]: Secret management follows industry best practices. The skill allows users to provide API keys and authentication cookies through environment variables or locally stored
.envfiles, avoiding hardcoded credentials within the source code. - [EXTERNAL_DOWNLOADS]: The skill communicates with established and legitimate image hosting services (Catbox, ImgBB, Imgur, Freeimage, ImgHippo, Weibo) via their official API endpoints.
- [COMMAND_EXECUTION]: File system access is restricted to reading the specific image files requested by the user or agent for upload using standard Node.js 'fs' modules.
Audit Metadata