Back to skill

Security audit

Character Image Generator

Security checks across malware telemetry and agentic risk

Overview

This is mostly a real character image generator, but it has under-disclosed local file upload and setup behaviors that should be reviewed before installation.

Install only if you are comfortable with a WeryAI-backed generator that may write .image-skills config files, store an API key in a local plaintext .env when setup is used, and upload any local reference images passed to it. Avoid passing sensitive local images or webhook URLs unless you explicitly intend to send that data off-host.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (30)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The setup flow instructs the agent to silently execute a readiness command that can detect and auto-bootstrap local dependencies before any explicit user-facing consent. For a character-image-generation skill, broad local command execution and environment mutation exceed the narrow expected scope and create risk of unexpected code execution or package installation in the user's workspace.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill directs the agent to obtain, handle, and persist API credentials into local files or setup commands, which expands the skill from image generation into credential management. This increases the chance of secret exposure, improper storage, and unauthorized persistence of sensitive tokens in workspace files that may later be committed, logged, or read by other tools.

Context-Inappropriate Capability

Low
Confidence
87% confidence
Finding
The instructions tell the agent to create directories and write configuration files immediately as part of default model initialization, even when the user has not explicitly approved workspace modification. While lower severity than credential handling, this still permits unsolicited file changes outside the core act of generating an image and can surprise users or interfere with repository state.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script invokes `npm install` in every discovered package directory, which executes arbitrary lifecycle scripts from dependencies and performs network/package-resolution actions. In a skill advertised purely for character image generation, bundling a bootstrapper with recursive install capability is unnecessary and materially expands the attack surface if run in an automated or trusted environment.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The file recursively searches the skill tree for `package.json` files and installs dependencies in each matching directory, including dev and optional dependencies. This behavior is unrelated to the declared image-generation purpose and creates a supply-chain execution path where any added nested package can trigger package installation and potentially execute malicious install scripts.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script writes an EXTEND.md configuration file into an arbitrary project directory based on the --project argument or current working directory, even though the skill's stated purpose is character image generation. This creates side effects outside the immediate skill runtime and can silently modify user projects, which is risky in agent contexts where setup scripts may run automatically or with user trust.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The readiness flow automatically invokes bootstrapImpl when doctorImpl reports pending targets, causing install/setup-like changes as part of a check operation. For a character-image skill, this expands behavior from content generation into environment modification, increasing the chance of unexpected file changes or dependency setup in the host project.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill exposes a `use_web_search` capability even though its declared role is character image generation. That expands the trust boundary from local prompts and reference images to arbitrary external web content, which can introduce prompt/data exfiltration risks, unreviewed third-party content ingestion, and behavior not disclosed by the manifest.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The `--webhook-url` option allows sending generation results or callbacks to an arbitrary remote endpoint unrelated to the core image-generation purpose. This can be abused to exfiltrate prompts, metadata, task identifiers, and indirectly generated content to attacker-controlled infrastructure, especially in automated agent contexts.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The script can persist IMAGE_GEN_API_KEY into a project or home-directory .env file, which creates a plaintext local secret at rest. Even without exfiltration, storing credentials in broadly readable locations can expose them to other local users, accidental commits, backups, or unrelated tooling that scans .env files.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The setup flow instructs the agent to bootstrap dependencies, inspect environment state, and persist secrets/configuration into the workspace before doing its core image-generation task. Those are privileged side effects beyond simple prompt-to-image behavior, and if executed by an autonomous agent they expand the skill's authority over the local project and secrets footprint.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Allowing the agent to install local dependencies on the user's behalf gives it package-management capability, which is powerful and risky in a skill whose stated purpose is character image generation. Dependency installation can execute arbitrary postinstall scripts, alter the environment, and introduce supply-chain risk if abused or if upstream packages are compromised.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The instructions tell the agent to persist `IMAGE_GEN_API_KEY` into a local `.env` path, which grants the skill secret-handling and credential storage behavior unrelated to its narrow generation purpose. Storing credentials through agent-driven file writes increases the chance of accidental exposure, insecure file placement, later exfiltration by other tools, or commits of secrets into source control.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to create directories and write `EXTEND.md` to initialize workspace defaults without first limiting itself to transient generation actions. This broadens the skill from producing character images into modifying project configuration, which can create persistence, surprise side effects, and policy drift in the user's workspace.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This script writes a new project-level configuration file under .image-skills without an explicit user confirmation gate. For a character-image generation skill, modifying repository or project configuration is outside the minimally necessary behavior and can unexpectedly change downstream tool behavior or persist state in the user's workspace.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file acts as an installer/readiness orchestrator, invoking doctor and bootstrap flows and potentially changing local state before the core image-generation function is used. In the context of a character-image generator, this is unnecessary privilege and increases the attack surface because a user invoking the skill may trigger environment modifications rather than just content generation.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
When pending targets exist, the script automatically calls bootstrapImpl, which is specifically designed to install or alter dependencies and local project state. That capability is not justified by the declared skill purpose, so if this script is triggered in normal operation it could modify the environment unexpectedly and create persistence or supply-chain risk depending on what bootstrap does.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The CLI exposes a `--use-web-search` flag and forwards `use_web_search=true` to the upstream API, adding network-retrieval capability that is not necessary for a character-image generation skill. This expands the skill's behavior beyond its declared scope, can leak user prompts to additional systems, and gives an image-generation tool an unnecessary data-ingestion path.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill accepts an arbitrary `--webhook-url` and sends it to the provider as `webhook_url`, enabling external callbacks unrelated to local image generation. In an agent context this creates an outbound exfiltration and SSRF-like surface, since an attacker could direct provider-side callbacks to attacker-controlled or internal endpoints.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The wrapper accepts an arbitrary entry-script argument, resolves it, and executes it through `npx bun`, which effectively turns a character-image skill into a general code-execution launcher. In the context of an agent skill, this is dangerous because any caller or upstream component that can influence `entryArg` can run unintended local scripts with the agent's privileges, well beyond the declared image-generation scope.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger test prompt "Original character portraits for me." is broad, conversational, and lacks clear scope constraints tying it specifically to this skill beyond a loose semantic match. Ambiguous triggers can cause the skill to activate on generic art or portrait requests unintentionally, increasing the chance of misrouting, prompt hijacking via overlapping skills, or unintended execution in contexts the author did not mean to cover.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file explicitly instructs the agent to run a readiness pass silently before model choice, despite that pass being capable of checking dependencies and auto-bootstrapping scripts. Silent execution of setup commands without a prior warning undermines user awareness and consent, especially in a skill whose advertised purpose is only character image generation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The default-model initialization directs the agent to start from a bundled registry 'silent, no user involvement' and immediately write configuration files. That hidden workspace mutation is risky because it normalizes unattended file creation and configuration changes without making the user aware that the repository or local project state will be altered.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The script writes to an arbitrary path supplied via --output with no path restriction, confirmation, or sandboxing. In an agent context, if untrusted input can influence CLI arguments, this can overwrite files in the workspace or other accessible locations, causing integrity damage or facilitating follow-on attacks.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
For image-to-image requests, local reference files are read and converted to base64 for transmission to the remote WeryAI API. In an agent setting, this can unintentionally send sensitive local images or documents with image-like extensions off-host without a prominent just-in-time warning or confirmation.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.potential_exfiltration

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/bootstrap.mjs:86

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/doctor.mjs:56

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/smoke-check.mjs:18

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/vendor/shared-image-generation/scripts/bootstrap.mjs:86

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/vendor/shared-image-generation/scripts/doctor.mjs:56

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/vendor/shared-image-generation/scripts/smoke-check.mjs:18

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/vendor/weryai-image/discover-models.mjs:9

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/vendor/weryai-image/doctor.mjs:9

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/vendor/weryai-image/main.ts:14

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/vendor/weryai-image/recommend-model.mjs:9

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/vendor/weryai-image/run-generate.mjs:23

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/vendor/weryai-image/setup.mjs:9

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/main.ts:47

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/vendor/shared-image-generation/scripts/main.ts:51

File read combined with network send (possible exfiltration).

Warn
Code
suspicious.potential_exfiltration
Location
scripts/main.ts:6

File read combined with network send (possible exfiltration).

Warn
Code
suspicious.potential_exfiltration
Location
scripts/vendor/shared-image-generation/scripts/main.ts:6