Back to skill

Security audit

ai-image-prompt

Security checks across malware telemetry and agentic risk

Overview

This prompt-writing skill is not executable malware, but it teaches agents to disguise blocked sensitive image requests so generation platforms are more likely to accept them.

Install only after reviewing the policy-rewrite behavior. Use it for clearly allowed commercial product or apparel prompting, not to recover prompts a platform already refused. Require explicit consent for real-person likeness matching, avoid underage or sexualized contexts, and consider removing the broad triggers and policy-evasion rewrite references before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (22)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The document explicitly instructs users to rewrite prompts after a platform says they may violate content policy, with the goal of making them easier to approve. That is moderation-circumvention guidance, not ordinary prompt optimization, and it can enable users to obtain sexualized or otherwise restricted image outputs by laundering the request into safer-sounding language.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The step-by-step fallback sequence is designed to preserve the core request while iteratively reducing signals that trigger moderation, which is a classic evasion pattern. It operationalizes how to get previously rejected content accepted rather than enforcing policy boundaries, increasing the likelihood of successful bypasses at scale.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill’s trigger conditions are broad enough that ordinary user phrases about improving prompts, realism, product shots, or uploaded images could activate it unintentionally. Because this skill also contains policy-evasion rewrite behavior, accidental activation increases the chance that unsafe transformation logic is applied in contexts where the user did not explicitly request this specialized workflow.

Vague Triggers

High
Confidence
97% confidence
Finding
Using the single token 'ao' as a trigger is highly ambiguous and can collide with benign conversation, usernames, abbreviations, or multilingual text. In this skill, accidental invocation is especially risky because it can route requests into prompt-rewriting flows designed to preserve intent after policy refusal.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The Quick Rules section auto-enables major behavior branches based on very generic phrases like 'more detailed,' 'more realistic,' or 'higher quality.' This makes the skill easy to invoke unintentionally and amplifies the risk that sensitive rewrite or replication features are applied without clear user intent or additional safety review.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The skill includes preset prompts that explicitly direct output toward specific national or ethnic presentations such as 'Asian', 'Korean', and 'Japanese' without indicating that this should only occur when the user explicitly requests those attributes. This can cause the agent to inject sensitive demographic traits into generated content, creating stereotyping, biased personalization, or inappropriate identity assignment in normal use.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The template routing rules are broad and keyed to common user intents, which can cause this skill to activate for requests that may not actually need it. In an agent environment, over-broad activation can misroute user tasks, apply the wrong prompt policy, or unnecessarily ingest sensitive image or product context, increasing the chance of incorrect or policy-bypassing outputs.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The portrait-related selectors overlap across realism, natural-human, reference-fidelity, and portrait pattern templates without clear separation. This ambiguity can produce inconsistent handling of user requests, including accidental escalation into strict mimicry or sensitive appearance-preservation flows when the user only asked for general enhancement.

Ssd 1

High
Confidence
99% confidence
Finding
The skill explicitly promises to produce a 'platform-safe rewrite' when content is blocked by policy, which indicates intent to preserve a request’s objective while bypassing moderation wording restrictions. This is dangerous because it operationalizes evasion of downstream safety systems instead of refusing or safely redirecting disallowed content.

Ssd 1

High
Confidence
99% confidence
Finding
The workflow gives top priority to a 'platform safety rewrite' path whenever the user mentions moderation, refusal, or policy failure. That directly trains the agent to treat safety enforcement as an obstacle to route around, increasing the likelihood of systematic policy bypass at scale.

Ssd 1

High
Confidence
99% confidence
Finding
This section instructs the model to swap 'high-risk words' for euphemistic commercial phrasing and to avoid sensitive terms even in negative prompts so platforms will not intercept them. That is classic moderation-evasion guidance: it changes wording, not intent, and is designed to defeat keyword or policy-based safeguards.

Ssd 4

Medium
Confidence
95% confidence
Finding
The staged fallback sequence progressively softens wording and presentation until the platform accepts the request. This creates an iterative bypass playbook that can help users probe and defeat moderation boundaries through repeated reformulation.

Ssd 1

High
Confidence
99% confidence
Finding
The intimate-apparel section explicitly says the system may internally preserve the real category while externally converting it into 'policy-safe' wording for the image model. This separation of internal intent from external phrasing is a strong indicator of deliberate safety circumvention, especially in a sensitive content area involving body-revealing apparel.

Ssd 1

High
Confidence
99% confidence
Finding
The Quick Rules explicitly activate a rewrite pathway when users mention policy failure or rejection, instructing the skill not to output sensitive terms in the final prompt. This makes moderation evasion a first-class, user-accessible feature rather than an accidental byproduct.

Ssd 2

Medium
Confidence
97% confidence
Finding
The skill explicitly advises rephrasing prompts to avoid high-risk review terms while preserving the same underlying intent, including face-related transformation scenarios and wording to prevent prompts from being flagged. That is dangerous because it functions as safety-evasion guidance, helping users bypass platform moderation rather than steering them toward compliant, policy-preserving use.

Ssd 2

Medium
Confidence
95% confidence
Finding
The guide explicitly aims to rewrite intimate-apparel requests into wording that is more likely to pass platform review, which is a form of safety-filter evasion. This is dangerous because it operationalizes policy circumvention rather than enforcing the platform's actual content boundaries, enabling disallowed or borderline content to be disguised as compliant commercial photography.

Ssd 2

High
Confidence
99% confidence
Finding
These instructions tell the model to internally retain the true sensitive category while omitting high-risk terms from the final prompt, which is a direct concealment mechanism. That makes the skill more dangerous because it preserves the user's original potentially disallowed intent while deliberately suppressing the signals a moderation system would use to detect it.

Ssd 2

Medium
Confidence
97% confidence
Finding
The mapping table provides euphemistic substitutions for sensitive apparel terms specifically to avoid using the original terms in outputs. This is dangerous because it standardizes a repeatable bypass pattern that can be applied at scale to conceal sensitive or moderation-triggering requests while still preserving their substance.

Ssd 2

High
Confidence
98% confidence
Finding
These sections teach the user to transform policy-blocked prompts into commercially framed wording specifically to avoid triggering safety filters. The dangerous part is not merely word substitution, but preserving the disallowed substance while disguising it as benign catalog language.

Ssd 2

High
Confidence
99% confidence
Finding
The replacement table maps sexualized and adult-oriented terms to euphemisms intended to keep the same concept while avoiding moderation triggers. This materially lowers the barrier to requesting restricted content and can be reused as a generic bypass playbook beyond this skill.

Ssd 4

High
Confidence
99% confidence
Finding
The staged '降敏' process instructs users how to alter wording, framing, composition, and body visibility to get a rejected request accepted without abandoning the underlying objective. In the context of an image-prompt skill, that is particularly dangerous because it provides a practical recipe for iterative filter evasion against safety systems.

Ssd 4

Medium
Confidence
95% confidence
Finding
This section explicitly instructs the model to lock onto facial identity features, style, and detailed intimate-apparel attributes to achieve '1:1 restoration' and 'strict replication' of an uploaded model or reference image. In context, that materially increases the risk of non-consensual likeness replication, identity impersonation, and generation of sexualized or invasive content involving real people, especially because the workflow normalizes exact copying rather than transformation or abstraction.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.