picgo-upload
Pass
Audited by Gen Agent Trust Hub on Jul 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes the
picgoCLI and a bundled Node.js script (gui-upload.mjs) to interact with local and remote services. These executions are scoped to the skill's primary purpose of file uploading and follow standard CLI patterns. - [EXTERNAL_DOWNLOADS]: Instructions guide the installation of the
picgoCLI globally vianpm install picgo -gif it is not already present on the system. This is a standard procedure for installing this well-known open-source utility. - [DATA_EXFILTRATION]: While the skill's purpose is to upload local data to remote servers, it includes a dedicated section on 'Public-link safety'. It instructs the agent to warn users that uploaded links are public and to require explicit confirmation before uploading potentially sensitive non-image files like PDFs or archives.
- [CREDENTIALS_UNSAFE]: The skill manages authentication tokens for PicGo Cloud and secrets for the local GUI server using environment variables and
.envfiles. It explicitly instructs against committing these secrets to version control, following secure configuration management practices.
Audit Metadata