zenmux-image-generation
Warn
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill manages its environment and performs image generation by executing bash and Python scripts through the
uvpackage manager. - [EXTERNAL_DOWNLOADS]: The
scripts/refresh_references.shscript fetches updated documentation and prompt cookbooks from GitHub (ZenMux, YouMind-OpenLab) and OpenAI's developer portal. These resources are used to guide the agent's behavior and prompt construction. - [DATA_EXFILTRATION]: The
scripts/image_common.pyfile includes logic infetch_reference_imagethat reads binary data from local paths or remote URLs specified by the user to be used as reference images. Since there are no restrictions on the file paths or verification of file content beyond a name check, a malicious user or an injection attack could lead the agent to read sensitive system files (e.g., SSH keys) and transmit them to the ZenMux API endpoint. Additionally, the use ofurllib.request.urlopenon user-supplied URLs without scheme or domain validation introduces a Server-Side Request Forgery (SSRF) risk. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). It downloads external prompt cookbooks from the
YouMind-OpenLabGitHub repository and instructs the agent to search and incorporate their structural patterns into the final prompts sent to the image models. - Ingestion points: Markdown files in the
references/directory (specificallyawesome-gpt-image-2.mdandawesome-nano-banana-pro-prompts.md). - Boundary markers: Absent; instructions in
SKILL.mdStep 4 do not provide clear delimiters or warnings to ignore malicious instructions embedded in the cookbooks. - Capability inventory: The skill possesses the capability to perform network API calls and save files to the local system.
- Sanitization: No validation or sanitization of the downloaded cookbook content is performed before it is processed by the agent.
Audit Metadata