Openai Image Gen Andy27725

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it uses an OpenAI API key to generate images and save a local gallery.

Install only if you are comfortable providing an OpenAI API key and paying for image-generation requests. Use --out-dir if you want outputs confined to a specific folder, and review prompts before running because they are sent to the OpenAI Images API.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill documentation and metadata indicate use of environment variables, network access to the OpenAI Images API, and local file writes/reads, but the skill does not declare permissions for those capabilities. This creates a transparency and policy-enforcement gap: users or orchestration systems may run the skill without understanding it can access API keys, make outbound requests, and write files such as images and HTML galleries to disk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal