image-well
Pass
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/well.pyusessubprocess.runto call the system'sopencommand to launch a browser for the generated HTML search results. This is used for visual preview and is limited to the specific preview file created by the tool. - [SAFE]: The skill uses
importlib.import_moduleinscripts/sources/__init__.pyto load its various image source plugins. This dynamic loading is done from a static internal list of source names, preventing arbitrary code execution from untrusted input. - [SAFE]: Multiple files in the
sources/directory use__import__("pathlib")within path manipulation logic to resolve the location of shared utilities. This is a local path resolution technique and does not pose a security risk. - [SAFE]: The tool manages API keys for external services by reading them from the user's environment or a configuration file at
~/.config/env/secrets.env. This is a standard and documented way for the agent to access credentials provided by the user.
Audit Metadata