Skills
skills/phuetz/code-buddy/gimp/Gen Agent Trust Hub

gimp

Warn

Audited by Gen Agent Trust Hub on Mar 18, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The MCP configuration in SKILL.md uses npx -y @libreearth/gimp-mcp to fetch and run a package at runtime. This allows for the execution of unvetted code from an external source that is not on the trusted vendor list.
  • [COMMAND_EXECUTION]: Multiple examples, such as batch-watermark-runner.py and the Bash workflows, use subprocess.run or direct shell execution with strings constructed via interpolation (e.g., gimp -i -b "..."). If input variables like input_path or watermark_text contain malicious shell metacharacters, it could lead to arbitrary command execution on the host system.
  • [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection by processing external data without boundary markers or sanitization.
  • Ingestion points: SKILL.md processes untrusted data through input_path variables in scripts and a config.json file loaded via json.load in the social media post generator.
  • Boundary markers: No delimiters or instructions to ignore embedded commands are present when processing external file paths or text content.
  • Capability inventory: The skill possesses extensive capabilities including subprocess execution (subprocess.run), file system modification (os.makedirs), and image-based file writes through the GIMP PDB API.
  • Sanitization: There is no evidence of escaping, validation, or filtering of external strings before they are used to build shell commands or filesystem paths.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 18, 2026, 07:13 AM