gpt-image-2
Pass
Audited by Gen Agent Trust Hub on Jul 10, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The
character_sheet.pyandproduct_sheet.pyscripts utilizesubprocess.runto call an internal generation script (generate_image.py). This is a standard modular architecture for the skill and does not involve shell execution or unsafe interpolation of user input. - [EXTERNAL_DOWNLOADS]: The skill uses
urllib.request.urlretrieveto download generated assets from Replicate's infrastructure. These downloads are a core part of the skill's functionality and target the expected service provider. - [CREDENTIALS_UNSAFE]: The skill handles a Replicate API token which can be shared with sibling skills (such as
avatar-video-reelorbrand-asset-studio) by checking for their configuration files in the~/.cursor/skills/directory. This is a legitimate design for shared resource access within the user's environment. - [DATA_EXFILTRATION]: Network activity is restricted to authenticated requests to the Replicate API and the subsequent download of generated images. No unauthorized data exfiltration or access to sensitive local files was detected.
Audit Metadata