avatar-location
Pass
Audited by Gen Agent Trust Hub on Jul 10, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
subprocess.Popeninscripts/_common.pyto run scripts from sibling skills likeavatar-inventandavatar-camera-angles. These commands are executed using argument lists rather than shell strings, and script paths are resolved from specific local project or user directories, mitigating command injection risks. - [EXTERNAL_DOWNLOADS]: The skill lists
Pillowinscripts/requirements.txtfor image manipulation. This is a standard and well-recognized library within the Python ecosystem. - [CREDENTIALS_UNSAFE]: API tokens for services like Replicate and Gemini are managed through environment variables or local configuration files using a provided setup script. This implementation supports standard development workflows for secret management without hardcoding sensitive values.
Audit Metadata