Cyberpunk Image Generator

Security checks across malware telemetry and agentic risk

Overview

This is a real WeryAI image-generation wrapper, but it needs Review because it can persist API keys, modify project config, install tooling, upload local files, and send callbacks with limited scoping.

Install only if you trust the publisher and WeryAI. Use a dedicated low-privilege API key, prefer a secure environment/secret store over project .env persistence, review any setup or install prompt carefully, avoid passing sensitive local files as prompts or references, and do not use webhook or web-search options unless you understand where data will be sent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (23)

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The instructions direct the agent to handle and persist API credentials in local project files, which expands the skill from image generation into secret management. This is dangerous because a compromised or overly capable skill can capture, store, or misuse bearer tokens, and local persistence in workspace files increases the chance of accidental disclosure, reuse by other tooling, or exfiltration.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill authorizes the agent to auto-bootstrap local dependencies and potentially install software on the user's behalf, which exceeds a narrow art-generation role. Even with approval language, this creates an unnecessary execution and supply-chain risk because dependency installation can run arbitrary package scripts and alter the local environment.

Context-Inappropriate Capability

Low

Confidence: 82% confidence
Finding: The file instructs the agent to manage workspace configuration files and refresh a model registry, which broadens the skill's authority beyond simply generating images. While less severe than secret handling, it still grants file-write and environment-modification capabilities that could be abused to alter project state unexpectedly or stage later misuse.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The script discovers package.json files and runs `npm install` in each matching directory, which executes dependency lifecycle scripts and performs network/package-supply-chain actions. For an image-generation skill, this bootstrap capability is unrelated to the declared purpose and expands the attack surface significantly if invoked on untrusted or overly broad directories.

Context-Inappropriate Capability

Low

Confidence: 84% confidence
Finding: The recursive scan walks the provided root directory and identifies every `package.json` outside a small skip list, enabling the later install routine to act on arbitrary nested projects. In this skill context, broad filesystem discovery is unnecessary and makes the unrelated install behavior more dangerous by increasing the scope of packages that can be targeted.

Context-Inappropriate Capability

Medium

Confidence: 85% confidence
Finding: The script accepts an arbitrary --output path, resolves it, creates parent directories, and writes attacker-controlled content there without restricting the destination. In an agent environment where a model or untrusted user can influence arguments, this enables arbitrary file write within the agent's OS permissions, which can overwrite application files, drop misleading documents, or tamper with local state.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The script writes a new project-level configuration file under `.image-skills/<namespace>/EXTEND.md` automatically when certain conditions are met. For a skill presented as an image generator, modifying repository configuration is unexpected behavior and can create persistence, alter downstream tool behavior, or violate least-astonishment if the skill is invoked in a user's project directory.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The readiness flow inspects the environment and project, determines missing bootstrap targets, and then automatically runs `bootstrapImpl` whenever pending targets exist. Even if intended as setup automation, this exceeds the expected scope of an image-generation skill and increases attack surface by allowing the skill to change local state, install or prepare dependencies, and interact with project directories without an explicit, narrowly scoped approval step.

Context-Inappropriate Capability

High

Confidence: 89% confidence
Finding: The skill exposes a `use_web_search` capability that is not necessary for local prompt-to-image generation and widens the data-flow surface to external services. In an agent context, this can cause prompts or user-supplied content to be sent to additional third parties, creating unnecessary privacy and policy risk.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: Arbitrary `--webhook-url` support allows generated task results and related metadata to be sent to any attacker-controlled endpoint. In an agent environment, this creates a straightforward exfiltration path and enables SSRF-like outbound interactions to untrusted destinations beyond the stated image-generation purpose.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: This code reads API keys from process environment or CLI arguments and writes them into project or home .env files. Persisting secrets to disk increases exposure through accidental commit, overly broad filesystem access, backup leakage, or multi-user host access; for a skill marketed as an art generator, that added credential-handling surface is not strictly necessary.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill is advertised as a cyberpunk-only image generator, but the exposed style presets are broad, general-purpose image generation modes. This creates a scope mismatch that can let users repurpose the skill for non-cyberpunk content, weakening policy boundaries and increasing the chance the skill is used outside its declared intent.

Description-Behavior Mismatch

Low

Confidence: 85% confidence
Finding: The example command uses a generic prompt about 'a cat wearing sunglasses' with only incidental neon-city wording, which demonstrates general image generation rather than a narrowly cyberpunk-focused workflow. Examples shape user behavior, so this increases the likelihood of the skill being invoked for out-of-scope content and undermines the safety implied by the metadata.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill is scoped as a cyberpunk image generator, but these instructions expand its behavior into general environment setup, dependency management, and credential persistence. That broadening increases the agent's operational privileges and creates opportunities to modify the user's workspace or store secrets in ways unrelated to the narrow user intent.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The documentation shifts from cyberpunk-specific generation into generic model discovery, recommendation, and switching logic for arbitrary image workflows. While not an exploit by itself, it materially broadens the skill's authority and encourages actions outside its declared purpose, increasing the chance of unexpected configuration changes.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The instructions direct the agent to persist an API key into a local .env file or invoke setup that does so, which is sensitive secret-handling beyond the stated art-generation purpose. Persisting credentials in project files can expose them to accidental commit, local leakage, or misuse by other tools in the workspace.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The readiness pass includes auto-bootstrapping local dependencies and an installation approval flow unrelated to the narrow task of generating cyberpunk art. Even with approval, embedding package installation behavior into the skill expands the attack surface and can lead to unnecessary code execution or environment modification.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: This script recursively discovers every package.json under the supplied root and then bootstraps them by installing dependencies. For an image-generation skill, that is an unnecessary expansion of capability and increases supply-chain and code-execution risk, because npm install can run lifecycle scripts from any discovered package.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The code invokes npm install via spawnSync, which can execute arbitrary code through package lifecycle hooks and fetched dependencies. In the context of a cyberpunk image generator, spawning a package manager is unrelated to the advertised function and materially increases the chance of supply-chain compromise or unintended local code execution.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The CLI exposes a `--use-web-search` option and forwards `use_web_search=true` to the upstream image API, even though the skill is described as an image generator. That expands the skill from generation into external information retrieval, which can leak user prompts to third-party search systems, produce nondeterministic outputs, and violate least-privilege expectations for a narrowly scoped art skill.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code accepts an arbitrary `--webhook-url` and passes it directly to the remote generation API as `webhook_url`. This can be abused to cause server-side callbacks to attacker-controlled endpoints, enabling data exfiltration of task metadata, internal workflow abuse, or use of the third-party service as a callback proxy unrelated to image generation.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The wrapper accepts an arbitrary local entry script from argv and executes it through `npx bun`, so the file is not limited to a fixed image-generation workflow. In an agent-skill context, this creates a broad code-execution primitive: if an attacker can influence the entry script path or how the launcher is invoked, they can run unintended local code with the current process environment and inherited I/O.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: If local dependencies are still missing after the check, the agent should ask the user for approval to install them on the user's behalf. If `IMAGE_GEN_API_KEY` is missing, the agent should tell the user that image generation needs an API key and offer to configure it now. After approval, the agent should persist it to `.image-skills/image-generation/.env` or run `npm run setup -- --project . --workflow <workflow> --persist-api-key` when the key is already available in env. Do not ask the user to debug local setup manually before this readiness pass. Treat the API key as a secret:
Confidence: 84% confidence
Finding: Do not ask the user

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal