skills/jmagar/lab/immich/Gen Agent Trust Hub

immich

Pass

Audited by Gen Agent Trust Hub on Jun 18, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses shell commands to load environment variables and execute API requests. Evidence includes the use of source for configuration files and curl for interacting with REST endpoints.
  • [PROMPT_INJECTION]: The skill processes data from the Immich API (such as photo metadata and album lists), which presents an attack surface for indirect prompt injection. There are no boundary markers or explicit sanitization steps defined for handling these API responses.
  • [DATA_EXFILTRATION]: The skill communicates with non-whitelisted network destinations, specifically the IP address 100.120.242.29 and the domain tootie.tv. These operations are part of the skill's primary function to connect to a self-hosted server.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 18, 2026, 05:33 PM
Security Audit — agent-trust-hub — immich