Skills
skills/opensensenova/sensenova-skills/sn-image-imitate/Gen Agent Trust Hub

sn-image-imitate

Warn

Audited by Gen Agent Trust Hub on May 1, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The Worker Agent workflow defined in SKILL.md builds shell command strings by interpolating variables like $TARGET_CONTENT and $LONG_CAPTION. For example, Step 0 uses echo "$TARGET_CONTENT" > "$TEMP_DIR/target-content.txt". If these variables contain shell metacharacters (such as backticks, semicolons, or pipes), an attacker could execute arbitrary commands in the agent's execution environment.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It processes untrusted data from the reference_image and user-specified target_content, then embeds this content into prompts for LLM and VLM calls without adequate protection. This could allow adversarial content within an image or the input text to override the skill's instructions.
  • Ingestion points: reference_image (Step 1) and target_content (Step 0 and Step 2).
  • Boundary markers: None; the prompts rely on simple text labels (e.g., 'Target content:') which do not effectively isolate untrusted data from the instruction context.
  • Capability inventory: The skill can perform local file writes, execute shell commands through the sn_agent_runner.py script, and invoke text/image generation models.
  • Sanitization: No evidence of escaping or validation is present for inputs before they are used in command execution or prompt construction.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 1, 2026, 09:01 AM