Extract Image

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-aligned, but it sends user-supplied image data or URLs to an external API and persists an API key locally without enough privacy or retention disclosure.

Install only if you are comfortable sending images, base64 image payloads, URLs, and an XBY API key to the XiaoBenYang service. Avoid using it with confidential screenshots, IDs, contracts, private or signed URLs, or regulated data unless you have reviewed the provider's privacy practices. Check and protect the generated .env file, and delete XBY_APIKEY when you no longer need the skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

Description-Behavior Mismatch

High

Confidence: 88% confidence
Finding: The manifest says the service works on local files and URLs, but the documented tools also accept raw base64 image content. This hidden input surface increases the chance that users or orchestrators pass in embedded image data containing sensitive content without appropriate disclosure, validation, or policy controls.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The manifest says the service works on local files and URLs, but the documented tools also accept raw base64 image content. This hidden input surface increases the chance that users or orchestrators pass in embedded image data containing sensitive content without appropriate disclosure, validation, or policy controls.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The project structure and return-handling sections describe a different service, indicating substantial documentation reuse and weak change control. In a security-sensitive skill, this increases the chance that users misunderstand what code executes, what data is returned, and whether unrelated remote-service behavior or credential handling is occurring.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: This module persists an API key to a local .env file and exposes helper functions to set and retrieve it, which exceeds the stated purpose of an image extraction/conversion service. In an agent skill context, adding credential persistence unrelated to the manifest increases the risk of secret collection, unintended storage, and later leakage through logs, repo commits, backups, or other tools with filesystem access.

Context-Inappropriate Capability

High

Confidence: 93% confidence
Finding: The code both writes credentials to .env and mutates the process environment via os.environ, giving the skill secret-handling capabilities not justified by its declared image-conversion role. That broadens the blast radius because other components in the same process may subsequently read or misuse the injected secret, and users may not expect a utility skill to alter runtime credential state.

Intent-Code Divergence

Medium

Confidence: 81% confidence
Finding: The class docstring references an unrelated gaokao skill while the manifest describes an image extraction/conversion service, indicating code reuse or mismatch between declared and actual functionality. In security review, this inconsistency is dangerous because it can conceal unexpected behavior such as unrelated network access or credential handling, making user trust and review accuracy worse.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The description does not warn users that local files, URLs, or base64 image contents may be transmitted to an external API for analysis. This is dangerous because screenshots, documents, and photos often contain secrets or personal data, and users may assume the processing is local based on the stated purpose.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to collect and save the user's API key, but it does not disclose how the key is stored, how long it persists, or who can access it. That omission creates credential-handling risk and may lead users to provide secrets without informed consent, especially if the key is written to a local .env file.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The function persists an API key to .env automatically without any visible confirmation, warning, or disclosure about long-term storage. This can cause users or integrators to unknowingly leave sensitive credentials on disk where they may be committed, backed up, read by other local users, or exposed by later tooling.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This function sends user-supplied local file content to an external API via call_api, but the file does not provide an explicit privacy or network-transmission warning. In a skill whose description emphasizes extraction/conversion, users may reasonably not expect local images or documents to be uploaded off-device, which can expose sensitive screenshots, IDs, or confidential materials.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The URL-based function forwards the provided URL and related parameters to an external API without clear disclosure in this file that remote network access or third-party processing will occur. While less sensitive than local-file upload in many cases, private or signed URLs can leak internal resource locations, access tokens, or browsing intent to an external service.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Base64 input often contains raw image data copied from screenshots, documents, or app buffers, and this function transmits that data to an external API without explicit warning in the file. Because base64 can encapsulate highly sensitive visual content, silent off-device transfer increases privacy and data-exposure risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal