skills/picgo/skills/picgo-upload/Gen Agent Trust Hub

picgo-upload

Pass

Audited by Gen Agent Trust Hub on Jul 1, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes the picgo CLI and a bundled Node.js script (gui-upload.mjs) to interact with local and remote services. These executions are scoped to the skill's primary purpose of file uploading and follow standard CLI patterns.
  • [EXTERNAL_DOWNLOADS]: Instructions guide the installation of the picgo CLI globally via npm install picgo -g if it is not already present on the system. This is a standard procedure for installing this well-known open-source utility.
  • [DATA_EXFILTRATION]: While the skill's purpose is to upload local data to remote servers, it includes a dedicated section on 'Public-link safety'. It instructs the agent to warn users that uploaded links are public and to require explicit confirmation before uploading potentially sensitive non-image files like PDFs or archives.
  • [CREDENTIALS_UNSAFE]: The skill manages authentication tokens for PicGo Cloud and secrets for the local GUI server using environment variables and .env files. It explicitly instructs against committing these secrets to version control, following secure configuration management practices.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 1, 2026, 06:12 AM
Security Audit — agent-trust-hub — picgo-upload