hume
Pass
Audited by Gen Agent Trust Hub on Apr 17, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill is designed to interact with the official Hume AI API endpoints (api.hume.ai) to perform emotion analysis and text-to-speech synthesis, which is consistent with its stated purpose.
- [SAFE]: Authentication is handled correctly through the HUME_TOKEN environment variable, ensuring that API keys are not hardcoded within the skill's files.
- [COMMAND_EXECUTION]: The skill utilizes standard system tools such as curl, jq, and base64 to manage API requests and process resulting data. These operations are typical for an API-focused skill and do not involve suspicious command patterns.
- [PROMPT_INJECTION]: The skill processes external data (text and media URLs) which creates a surface for indirect prompt injection. However, the skill's limited capabilities (restricted to API calls and temporary file handling) mitigate the risk of exploitation.
- Ingestion points: External data enters via text, description, and URL fields within JSON request files (SKILL.md).
- Boundary markers: No explicit delimiters are used to isolate untrusted data within the JSON payloads.
- Capability inventory: Execution of curl and jq for network communication and data parsing (SKILL.md).
- Sanitization: No input validation or filtering is performed on external data before it is sent to the remote API.
Audit Metadata