svg-generator
Pass
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection as it processes untrusted user-provided content through an external AI service.
- Ingestion points: Text prompts, style instructions, and reference image URLs in
scripts/generate_svg.py, and image files or URLs inscripts/vectorize_svg.py. - Boundary markers: Absent; user inputs are directly included in the JSON payloads sent to the API.
- Capability inventory: Network POST requests to
api.quiver.aiand local file-write operations in bothscripts/generate_svg.pyandscripts/vectorize_svg.py. - Sanitization: No validation, escaping, or filtering of the user-supplied content is implemented.
- [SAFE]: Authentication is handled via environment variables (
QUIVER_API_KEY), which is a recommended practice for secret management. - [SAFE]: The scripts only communicate with the service provider's domain (
api.quiver.ai) and do not perform any unexpected network operations.
Audit Metadata