Agent-first Marketing Image Generation

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a legitimate Rynjer image-generation helper, with live mode sending prompts to Rynjer and potentially spending credits as disclosed.

Before enabling live mode, use a limited Rynjer token, run estimate_image_cost before generate_image, keep counts and resolution modest, and avoid putting secrets or confidential business details in prompts unless you intend to send them to Rynjer.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README instructs users to enable live mode, set a bearer-style access token, and submit prompts to a real external backend, but it does not clearly warn that prompt contents and related request metadata will leave the local environment. In an agent setting, prompts can contain sensitive user data, internal project details, or proprietary instructions, so the omission can lead to unintended data disclosure to a third-party service.

Missing User Warnings

Low

Confidence: 79% confidence
Finding: The generate_image tool can trigger a real resource-consuming operation, but its description does not warn that invocation may incur credits/costs. In an agentic environment, this increases the chance of unintended billable actions or repeated generations, especially because the manifest also exposes count, resolution, quality, and polling-related parameters that can amplify usage.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal