Image Generation Agent

Security checks across malware telemetry and agentic risk

Overview

This appears to be a normal external image-generation skill, with disclosed third-party processing and storage considerations rather than evidence of abuse.

Install only if you are comfortable sending prompts, reference images, and generated outputs to the named external services. Avoid regulated, confidential, or private images unless you have consent, and invoke the skill only for clear image-generation tasks to avoid accidental usage or charges.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill clearly states that prompts and reference images are used by external services and that generated outputs are auto-saved to AgentPMT File Manager, but it does not present this as an explicit privacy/data-handling warning to the user before use. This can cause users or calling agents to unknowingly transmit sensitive prompts or images to third-party infrastructure and retain them for up to 7 days.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The activation keywords include very generic terms such as 'prompt' and 'aspect ratio,' which are common across many unrelated workflows. In agent ecosystems that auto-discover or auto-select skills by keyword matching, this can trigger unintended invocation of a paid external image-generation service and cause unnecessary data transmission or charges.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal