slideshow-producer
Warn
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/composite-text.mjsexecutes shell commands by spawningpython3. This script also dynamically generates Python code at runtime by interpolating manifest data into a code template string before execution. WhileJSON.stringifyis used to sanitize inputs, generating executable code from data remains a high-risk pattern.\n- [DATA_EXFILTRATION]: The GUI server ingui/server.mjsprovides an endpoint (/api/image) that serves local files based on absolute paths found in the slideshow manifest. Since the manifest is generated by the AI based on campaign-level files and user input, an attacker could potentially influence the AI to include sensitive system paths in the manifest, leading to unauthorized file exposure via the localhost server.\n- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it processes user descriptions and campaign files (e.g.,brand.md,persona.md) to generate a manifest that controls file access and code execution parameters. Mandatory evidence: 1. Ingestion points: User descriptions (Phase 1), campaign source files (brand.md,persona.md,product.md). 2. Boundary markers: None identified for the manifest generation process. 3. Capability inventory: Subprocess execution (python3), local file read/write (server.mjs), and a local HTTP server. 4. Sanitization: UsesJSON.stringifyduring Python code generation and a validation script (validate-manifest.mjs) that checks path existence but does not restrict paths to a safe directory.
Audit Metadata