baoyu-comic
Pass
Audited by Gen Agent Trust Hub on May 29, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill utilizes
npxto resolve thebunruntime environment if it is not already present on the system. Both are well-known development tools. - [COMMAND_EXECUTION]: Executes local TypeScript scripts (
scripts/merge-to-pdf.ts) using the Bun runtime to combine generated images into a single PDF document. - [COMMAND_EXECUTION]: Uses system utilities such as
sips(macOS native) orpngquantfor image compression and format conversion tasks. - [COMMAND_EXECUTION]: Dynamically discovers and executes a sibling wrapper script (
baoyu-codex-imagegen/src/main.ts) through directory traversal to facilitate integration with optional image generation backends. - [PROMPT_INJECTION]: The skill processes arbitrary user-provided text to generate comics, which creates a surface for indirect prompt injection.
- Ingestion points: User-supplied source content or files (e.g.,
source.md). - Boundary markers: Not explicitly defined in the provided prompt templates (
references/base-prompt.md). - Capability inventory: Local script execution (
scripts/merge-to-pdf.ts), system utility calls (sips,pngquant), and invocation of external image generation tools. - Sanitization: No specific content filtering or sanitization logic is implemented in the provided scripts.
- [SAFE]: Manages user preferences and watermark settings through local configuration files (
EXTEND.md) stored in project-specific or user-home directories.
Audit Metadata