gpt-image-2

Pass

Audited by Gen Agent Trust Hub on Jul 10, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The character_sheet.py and product_sheet.py scripts utilize subprocess.run to call an internal generation script (generate_image.py). This is a standard modular architecture for the skill and does not involve shell execution or unsafe interpolation of user input.
  • [EXTERNAL_DOWNLOADS]: The skill uses urllib.request.urlretrieve to download generated assets from Replicate's infrastructure. These downloads are a core part of the skill's functionality and target the expected service provider.
  • [CREDENTIALS_UNSAFE]: The skill handles a Replicate API token which can be shared with sibling skills (such as avatar-video-reel or brand-asset-studio) by checking for their configuration files in the ~/.cursor/skills/ directory. This is a legitimate design for shared resource access within the user's environment.
  • [DATA_EXFILTRATION]: Network activity is restricted to authenticated requests to the Replicate API and the subsequent download of generated images. No unauthorized data exfiltration or access to sensitive local files was detected.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 10, 2026, 01:40 AM