mike-convex-thumbnail

Pass

Audited by Gen Agent Trust Hub on Jun 23, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill explicitly instructs the agent to run a local PowerShell script scripts/check-local-assets.ps1 to verify the availability of thumbnail assets. This script performs filesystem checks on hardcoded directories using the Test-Path command.
  • [PROMPT_INJECTION]: The skill identifies a workflow where external video scripts or Notion pages are processed to extract 'hooks' for image prompts, establishing an indirect prompt injection surface.
  • Ingestion points: Video scripts, Notion pages, or video briefs provided in the user context as described in the Core Workflow of SKILL.md.
  • Boundary markers: The skill does not define specific delimiters or instructions to isolate untrusted external content from its core instructions.
  • Capability inventory: The skill can execute local scripts, access local image files, and interact with image generation models.
  • Sanitization: There is no evidence of validation or escaping applied to the content extracted from external sources before it influences the final generation prompt.
  • [DATA_EXFILTRATION]: The skill hardcodes multiple absolute local file paths, which reveals the directory structure and username of the intended execution environment.
  • Evidence: SKILL.md includes paths such as G:\My Drive\Personal\Photos of Me\convex\Backgrounds Removed, C:\Users\mikec\Assets\Images, and a specific temporary file at C:\Users\mikec\AppData\Local\Temp\codex-clipboard-2e3ea2e2-5464-460f-86f3-f4c4bcd6f731.png.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 23, 2026, 09:09 AM
Security Audit — agent-trust-hub — mike-convex-thumbnail