Article Illustrator

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly an article illustration workflow, but it needs Review because some external data sharing and automatic project changes are broader or less clearly disclosed than the user-facing purpose suggests.

Install only if you are comfortable sending article text, prompts, and any selected reference images to WeryAI. Avoid using private local images as references unless you intend to upload them, review generated .image-skills config before committing it, and be cautious with webhook URLs, npx/Bun execution, and in-place article or image compression changes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (13)

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: This setup script delegates execution to a vendored script via spawnSync using the current Node executable and inherited stdio/environment. That gives the skill an install/setup-time code-execution path that is broader than its stated article-illustration purpose, and if the vendored dependency or local files are modified, arbitrary commands could run with the user's privileges.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The documentation contradicts itself about when the original file is preserved versus overwritten, specifically around the meaning of `--keep`. In a tool that performs file transformations, ambiguous overwrite semantics can cause unintended data loss or repeated destructive processing, especially when agents rely on the spec to decide safe automation behavior.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: This script recursively scans a caller-controlled directory for package.json files and runs `npm install` in each matching directory. That gives the skill a broad code-execution and network-fetch capability through package lifecycle scripts and dependency resolution, which is not clearly necessary for an article-illustration skill and becomes dangerous if pointed at untrusted or overly broad paths.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The CLI exposes a `--use-web-search` option and forwards it to the upstream image API, adding external browsing capability that is not necessary for a local article-illustration generator. This expands data exposure and outbound network behavior beyond the stated skill purpose, increasing the chance that prompts or derived queries are sent to third parties without clear user intent.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The code accepts an arbitrary `--webhook-url` and forwards it to the external generation service, enabling user content and task metadata to be pushed to attacker-controlled endpoints. For an article illustration skill, unsolicited outbound callbacks are unnecessary and create a clear exfiltration path.

Description-Behavior Mismatch

Medium

Confidence: 80% confidence
Finding: The standalone `status` subcommand allows querying arbitrary generation task IDs outside the core article-illustration workflow. While not inherently dangerous, it broadens the skill into a general task-inspection client and may expose metadata or result state for tasks unrelated to the current user session if task IDs are available.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The wrapper invokes `npx -y bun <entryScript>`, which causes execution of external tooling and potentially package-resolution behavior outside the immediate script. In a skill context, this expands the trust boundary to the package runner/runtime and can execute unpinned or unexpected code depending on the environment, making the illustration skill more dangerous than its user-facing purpose suggests.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: When output resolves to the same path as the input, the script overwrites the original image without explicit confirmation, and when output differs it silently renames any existing destination to a timestamped backup. In an agent or automated workflow, this can unexpectedly modify or replace user files, causing integrity loss, confusion, and accumulation of stray backups.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The document explicitly instructs the agent to run a readiness pass silently before any user-facing disclosure, while that pass may detect and auto-bootstrap local dependencies. Even if framed as convenience setup, undisclosed environment inspection and setup actions violate informed consent and can lead to unexpected local changes before the user approves them.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The instructions direct the agent to immediately create workspace directories and write `.image-skills/image-generation/EXTEND.md` without prior warning or consent. Autonomous modification of project configuration can surprise users, alter repository state, and create trust and integrity issues, especially in shared or version-controlled workspaces.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation explicitly states that the CLI can encode local files as base64 data and send them to the external WeryAI service, but it provides no user-facing warning that local content will leave the machine and be transmitted to a third party. In an article-illustration skill, users may reasonably assume local images are processed locally or only used as references, so this omission can cause unintended disclosure of sensitive files or proprietary images.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The generation request body includes prompt text, negative prompts, reference images, and optional webhook settings, all of which are transmitted to external services without an execution-time disclosure or consent checkpoint. In a content-generation skill, prompts may contain unpublished article material, sensitive references, or internal assets, so silent transmission raises privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The child process receives the full inherited environment via `...process.env`, including any secrets, tokens, proxies, and CI credentials present in the host. Because this wrapper then launches external tooling, any compromise or unexpected behavior in that subprocess chain can expose sensitive environment data unrelated to illustration generation.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal