open-images-for-free-use
Pass
Audited by Gen Agent Trust Hub on Jun 5, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads image files from a specific, immutable commit on GitHub (repository: peter-duffy95/free-use-images). The use of a pinned SHA (e40900d) prevents 'living' content risks where external assets could change after review.
- [COMMAND_EXECUTION]: The skill executes several shell commands (curl, strings, grep, xargs, less) to process image metadata. Security is maintained through a strict allow-list regex that validates the extracted license identifier before it is used as a file path for the local license documentation.
- [DATA_EXPOSURE]: The skill performs limited file system operations, specifically downloading an image to /tmp and reading local license files bundled with the skill. No sensitive system files or environment variables are accessed.
- [INDIRECT_PROMPT_INJECTION]: While the skill processes external data (image metadata), it mitigates injection risks by allow-listing the extracted content against a set of eight fixed, known identifiers. It explicitly avoids echoing untrusted text and only displays pre-vetted local files based on successful validation.
Audit Metadata