Qwen Image

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Qwen/DashScope image generation helper that uses an API key, external image APIs, and local output files in ways that match its stated purpose.

Install if you intend to use Aliyun DashScope/Model Studio for image generation or editing. Use a scoped DASHSCOPE_API_KEY, avoid printing the full key with echo in shared logs, review the output directory before running commands, and only submit prompts or images you are comfortable sending to the external provider.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill clearly instructs use of environment variables, network access to DashScope/Model Studio, and local file writes for downloaded images, but it does not declare corresponding permissions. This creates a trust and review gap: the runtime behavior is broader than the manifest communicates, so users or orchestrators may authorize or execute the skill without understanding that secrets will be read, remote services contacted, and files written locally.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal