Sprite Animator

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward AI sprite-animation helper, but users should know their input images are processed by Gemini.

Before installing, confirm you trust the `sprite-animator` package fetched by `uv`, consider pinning the package version, use a limited Gemini API key or quota where practical, and avoid personal, sensitive, or proprietary images unless you accept third-party Gemini processing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill explicitly states it sends the user's source image to Gemini in a single request, but the description and user-facing documentation do not clearly warn that uploaded images leave the local environment and are transmitted to an external AI provider. This creates a privacy and data-handling risk because users may submit personal, sensitive, or proprietary images without informed consent or awareness of third-party processing.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal