zenmux-image-generation

Warn

Audited by Gen Agent Trust Hub on May 18, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill manages its environment and performs image generation by executing bash and Python scripts through the uv package manager.
  • [EXTERNAL_DOWNLOADS]: The scripts/refresh_references.sh script fetches updated documentation and prompt cookbooks from GitHub (ZenMux, YouMind-OpenLab) and OpenAI's developer portal. These resources are used to guide the agent's behavior and prompt construction.
  • [DATA_EXFILTRATION]: The scripts/image_common.py file includes logic in fetch_reference_image that reads binary data from local paths or remote URLs specified by the user to be used as reference images. Since there are no restrictions on the file paths or verification of file content beyond a name check, a malicious user or an injection attack could lead the agent to read sensitive system files (e.g., SSH keys) and transmit them to the ZenMux API endpoint. Additionally, the use of urllib.request.urlopen on user-supplied URLs without scheme or domain validation introduces a Server-Side Request Forgery (SSRF) risk.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). It downloads external prompt cookbooks from the YouMind-OpenLab GitHub repository and instructs the agent to search and incorporate their structural patterns into the final prompts sent to the image models.
  • Ingestion points: Markdown files in the references/ directory (specifically awesome-gpt-image-2.md and awesome-nano-banana-pro-prompts.md).
  • Boundary markers: Absent; instructions in SKILL.md Step 4 do not provide clear delimiters or warnings to ignore malicious instructions embedded in the cookbooks.
  • Capability inventory: The skill possesses the capability to perform network API calls and save files to the local system.
  • Sanitization: No validation or sanitization of the downloaded cookbook content is performed before it is processed by the agent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 18, 2026, 08:24 AM
Security Audit — agent-trust-hub — zenmux-image-generation