Back to skill

Security audit

Ai Image Generation

Security checks across malware telemetry and agentic risk

Overview

This is a normal external AI image-generation skill, with privacy caveats because prompts and image URLs are sent to SkillBoss.

Install only if you are comfortable sending image prompts, image URLs, and related generation inputs to SkillBoss. Use a scoped, revocable API key and avoid submitting confidential prompts, private images, internal URLs, or sensitive visual material unless that third-party processing is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list is excessively broad and includes common phrases like 'image generation', 'generate image', and 'ai art', which can cause this skill to activate in contexts where the user did not explicitly intend to invoke it. Over-broad activation increases the chance that user prompts or image URLs are sent to the external SkillBoss service without clear user awareness or consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation shows prompts and image URLs being sent to an external API but does not clearly warn users that their content will leave the local environment and be processed by a third party. This creates a privacy and data-handling risk, especially if users submit sensitive prompts, proprietary images, or confidential URLs assuming local-only processing.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.