mike-convex-thumbnail
Pass
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill explicitly instructs the agent to run a local PowerShell script
scripts/check-local-assets.ps1to verify the availability of thumbnail assets. This script performs filesystem checks on hardcoded directories using theTest-Pathcommand. - [PROMPT_INJECTION]: The skill identifies a workflow where external video scripts or Notion pages are processed to extract 'hooks' for image prompts, establishing an indirect prompt injection surface.
- Ingestion points: Video scripts, Notion pages, or video briefs provided in the user context as described in the Core Workflow of
SKILL.md. - Boundary markers: The skill does not define specific delimiters or instructions to isolate untrusted external content from its core instructions.
- Capability inventory: The skill can execute local scripts, access local image files, and interact with image generation models.
- Sanitization: There is no evidence of validation or escaping applied to the content extracted from external sources before it influences the final generation prompt.
- [DATA_EXFILTRATION]: The skill hardcodes multiple absolute local file paths, which reveals the directory structure and username of the intended execution environment.
- Evidence:
SKILL.mdincludes paths such asG:\My Drive\Personal\Photos of Me\convex\Backgrounds Removed,C:\Users\mikec\Assets\Images, and a specific temporary file atC:\Users\mikec\AppData\Local\Temp\codex-clipboard-2e3ea2e2-5464-460f-86f3-f4c4bcd6f731.png.
Audit Metadata