Security audit

Create 3d Model From Image

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent AgentPMT 3D model generation integration, with the main caution that user prompts and images are sent to an external service.

Install only if you are comfortable sending 3D prompts, source images, texture images, and related asset details to AgentPMT. Avoid submitting private, regulated, copyrighted, client-owned, or proprietary material unless you have permission and understand the provider's handling and billing terms.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The skill advertises broad activation keywords such as generic 3D modeling and image-to-3D terms without exclusion boundaries, which can cause overbroad routing and unintended invocation. In practice, this may send user prompts, images, or URLs to a paid remote service when the user did not explicitly intend to use this specific third-party tool.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly supports sending user-supplied images, prompts, base64 data URIs, and URLs to a remote tool, but it does not include a clear user-facing warning or consent step about third-party data transmission. This creates privacy and compliance risk if sensitive, copyrighted, or confidential content is forwarded externally without the user's informed approval.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal