Back to skill

Security audit

Sih.AI Photo Changer

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims as a cloud photo editor, but it uploads user images to an external API using a hardcoded bearer token and does not clearly disclose the exact service or privacy boundary.

Install only after accepting that any image you provide, including local personal photos, may be uploaded to an external image API along with your prompt. Avoid sensitive or non-consensual face, body, or clothing edits, and prefer a version that clearly documents the provider domain and requires your own API key instead of shipping a token in the package.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill documentation clearly describes calling an external API and handling image URLs, Base64 data, and remote responses, which implies network access even though no permissions are declared. Undeclared network capability is dangerous because it weakens transparency and reviewability: users and platform controls may not realize the skill can transmit user-supplied images or prompts to a third-party service.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The file contains a hardcoded bearer token directly in source code, which exposes a live credential to anyone who can read the skill, repository, logs, or packaged artifact. This enables unauthorized use of the third-party image API, quota theft, billing abuse, and makes secret rotation difficult after disclosure.

Missing User Warnings

High
Confidence
98% confidence
Finding
A hardcoded API credential is used to send user-provided images and prompts to an external service without any user-facing disclosure or consent mechanism. This combines secret exposure with silent data exfiltration risk, since local image files may contain sensitive personal content that is transmitted off-host to a third party.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.