Security audit

Ai Image Generation

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward API-backed image-generation skill that sends prompts and image URLs to SkillBoss, with no hidden code, install hooks, persistence, or destructive behavior found.

Install this only if you trust SkillBoss with the prompts and image URLs you provide. Avoid submitting confidential designs, private image links, secrets, or sensitive personal data unless that use is approved, and prefer a scoped or replaceable API key where available.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The manifest description contains many broad trigger phrases such as generic image-generation and AI-art terms, which can cause the skill to activate for ordinary user requests that do not specifically intend to use this third-party service. In a skill ecosystem, overbroad triggering increases the chance of unintended routing of user prompts and associated data to an external API.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The examples instruct users to send prompts and, in some cases, image URLs to a third-party endpoint without any explicit notice that user content will leave the local environment. This is dangerous because prompts and referenced images may contain sensitive business, personal, or proprietary information, and users are not warned about transmission, retention, or third-party processing.

VirusTotal

42/42 vendors flagged this skill as clean.

View on VirusTotal