Skills
skills/opusgamelabs/game-creator/game-assets/Gen Agent Trust Hub

game-assets

Pass

Audited by Gen Agent Trust Hub on Mar 25, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands to manage the asset pipeline, including using node to run local character-building scripts and curl or wget for asset management.
  • Evidence: node scripts/build-character.mjs, node scripts/crop-head.mjs, curl -o public/assets/meme-ref.png "<image_url>".
  • [EXTERNAL_DOWNLOADS]: The skill automates the downloading of external assets such as company logos, meme images, and spritesheets from the web or from URLs provided in input data.
  • Evidence: Instructions to fetch logos from official sources and meme images from image_url fields in thread.json.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting and acting upon untrusted data from external sources and project files.
  • Ingestion points: The agent reads thread.json for image URLs and processes content from WebSearch results to find character headshots.
  • Boundary markers: No explicit boundary markers or instructions to ignore embedded commands within the processed data are provided.
  • Capability inventory: The skill possesses the capability to perform network requests (curl, wget), write to the file system (public/assets/), and execute local scripts (node).
  • Sanitization: There is no evidence of sanitization or validation of the URLs or metadata retrieved from untrusted external sources before they are used in shell commands.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 25, 2026, 10:06 AM