Back to skill

Security audit

Memegen

Security checks across malware telemetry and agentic risk

Overview

This meme skill is not clearly malicious, but it needs Review because optional trend and GIF features use third-party credentials and local downloads beyond the URL-only description.

Install only if you are comfortable with meme captions, search terms, and background image URLs being sent to third-party services. Avoid the Reddit script with a personal account password; skip or isolate the Reddit/Giphy features unless you intentionally need them. Review scripts before running them, do not use sensitive text in generated meme URLs, and prefer explicit humor/audience settings over automatic cultural targeting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (40)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises a simple meme-generation capability but includes documented shell and network operations such as curl downloads, Python execution, and local file writes. Undeclared operational capabilities increase the risk of unexpected remote access or filesystem side effects when the skill is invoked.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
There is a meaningful mismatch between the stated behavior ('URL-only' meme generation) and the broader documented behaviors, including local rendering/post-processing and use of multiple third-party sources. This weakens user consent and reviewability because a caller may authorize a harmless-seeming meme skill that actually performs additional network retrieval and local processing.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest says no local generation is needed, yet the documentation includes full local rendering and image post-processing code. This inconsistency can mislead security review and runtime policy decisions, making the skill more capable than users or orchestrators expect.

Context-Inappropriate Capability

Low
Confidence
80% confidence
Finding
Directing the agent to use external trending-template sources broadens data flows beyond the core memegen API and introduces additional third-party dependencies. While not inherently malicious, it increases privacy, supply-chain, and reliability risk compared with the declared narrow purpose.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This file materially expands a simple meme-generation skill into a policy and playbook for producing edgy, offensive, and region-targeted content, including dark humor, political themes, and culturally sensitive topics. In skill context, that broadening is dangerous because it can steer an agent to generate harmful or discriminatory content beyond the stated purpose of calling a meme API.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The documented capability set includes high-risk humor modes and localized cultural/political targeting that are unnecessary for a generic meme URL generator. That increases the chance the agent will produce abusive, polarizing, or unsafe outputs while appearing to act within supported skill behavior.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documentation claims local image post-processing support via Pillow code paths, which contradicts the manifest's claim that no local image generation is needed. This kind of scope drift is risky because it can cause an agent or integrator to attempt unsupported local file handling and image manipulation outside the reviewed API-only boundary.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
Stating that deep-fried, surreal, and shitpost modes require local post-processing directly undermines the declared architecture of a URL-only meme generator. That mismatch can lead to unsafe assumptions about local execution, file access, dependency use, and unreviewed image-processing behavior in downstream agent implementations.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The Python integration example expands the skill's capabilities from simple URL construction into arbitrary subprocess execution by invoking curl. Even though the current command uses an argument list rather than a shell, encouraging agents to use subprocesses for a meme-generation task unnecessarily broadens the execution surface and normalizes command execution in contexts where direct HTTP libraries would suffice.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The Node.js example uses child_process.execSync to run a shell command for downloading the meme, which is unnecessary for the stated purpose and significantly riskier than a normal HTTP request. Because the command string interpolates the URL into a shell command, any insufficient encoding or future change to accepted inputs could turn this into command injection in downstream integrations.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The example invokes an external program (`curl`) to fetch a user-influenced URL and write the result to disk. Although it avoids shell interpolation by passing an argument list to `subprocess.run`, spawning external binaries increases attack surface, relies on ambient system tooling, and can enable unsafe network/file side effects in agent environments.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The structured-tool example also shells out to `curl` for downloading remote content, preserving the same risks of external process execution and agent-triggered network/file side effects. In LLM tool contexts, examples are often copied directly into production, so this pattern can normalize unsafe subprocess usage.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This documentation expands the skill from simple memegen.link URL generation into handling Reddit OAuth credentials and Giphy API keys, which introduces secret management and broader third-party integrations not reflected in the stated skill purpose. That scope creep increases the chance an agent or user will collect, store, or misuse sensitive credentials in a context that was not designed for secret handling.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The file documents GIF search/download flows and external content sourcing that go beyond the advertised behavior of generating meme images via memegen.link URLs. This broadens the operational surface to fetching remote content and writing files locally, which can lead to unintended network access, policy bypass, or mishandling of untrusted media.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The script's documented and actual behavior targets Giphy search and GIF download, which materially deviates from the declared skill purpose of generating meme URLs via memegen.link. In an agent-skill context, capability drift is dangerous because it can introduce unexpected network access, secret usage, and content retrieval beyond what a user or reviewer would reasonably expect.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script requires and transmits a GIPHY_API_KEY for functionality not justified by the skill description. Unnecessary secret access expands the attack surface and violates least-privilege expectations, especially in a skill advertised as simple URL generation without external authenticated dependencies.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script downloads remote content to /tmp/meme.gif even though the skill is described as URL-based meme generation with no local image generation needed. This creates an unexpected local-write side effect and can enable disk abuse, content staging, or downstream misuse of untrusted files in environments that assume the skill only returns URLs.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The inline documentation explicitly states this is a Giphy GIF search-and-download script, contradicting the published memegen.link intent. Such contradictions are a strong indicator of mis-scoped or repurposed code, making review harder and increasing the risk that users grant permissions or trust under false assumptions.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script adds functionality to scrape Imgflip's trending templates, which is outside the declared memegen.link-only scope of the skill. Scope expansion to an unlisted third-party source increases supply-chain and privacy risk, and it can cause the agent to access external content and terms-of-service surfaces that users and reviewers did not expect.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
This code performs live scraping of a third-party website using custom HTTP requests and regex-based HTML extraction without a clearly justified need in the stated skill behavior. Even if not overtly malicious, such capability broadens outbound network access, creates dependence on untrusted remote content, and may expose the agent to compliance, reliability, or unexpected-content risks.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script performs Reddit trend scraping with account-authenticated OAuth, which is outside the declared scope of a memegen.link image-generation skill. This scope mismatch increases risk because the skill requests and uses user credentials for unrelated data collection, expanding the attack surface and enabling unexpected external data access.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script requires Reddit username/password and client credentials, then performs OAuth login using the password grant flow, despite the skill only needing to generate meme URLs. Collecting and transmitting account credentials without necessity is dangerous because it exposes highly sensitive secrets and creates opportunity for credential misuse, leakage, or unauthorized account access.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The README notes optional external integrations and API keys but does not explicitly warn that using Reddit/Giphy/other remote services causes outbound network requests and may transmit user-provided meme text, search terms, or contextual data. In agent environments, undocumented egress can create privacy and compliance issues because operators may assume a local-only skill.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The trigger phrases are broad enough to match common casual requests such as 'make' or 'send' something funny, increasing the chance of unintended invocation. Over-broad activation can cause surprising network access, content generation, or file creation in contexts where the user did not specifically request this skill.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation instructs downloading remote content and writing it to /tmp without a clear user-facing disclosure. Silent network access and file creation can surprise users and may expose the environment to untrusted content handling or storage of generated artifacts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
integrations/langchain.md:86