image-well

Pass

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/well.py uses subprocess.run to call the system's open command to launch a browser for the generated HTML search results. This is used for visual preview and is limited to the specific preview file created by the tool.
  • [SAFE]: The skill uses importlib.import_module in scripts/sources/__init__.py to load its various image source plugins. This dynamic loading is done from a static internal list of source names, preventing arbitrary code execution from untrusted input.
  • [SAFE]: Multiple files in the sources/ directory use __import__("pathlib") within path manipulation logic to resolve the location of shared utilities. This is a local path resolution technique and does not pose a security risk.
  • [SAFE]: The tool manages API keys for external services by reading them from the user's environment or a configuration file at ~/.config/env/secrets.env. This is a standard and documented way for the agent to access credentials provided by the user.
Audit Metadata
Risk Level
SAFE
Analyzed
May 19, 2026, 04:39 PM
Security Audit — agent-trust-hub — image-well