Axelhu Local Sdxl

Security checks across malware telemetry and agentic risk

Overview

This skill is a local SDXL image-generation helper with a privacy caveat around possible Feishu delivery of generated images.

Install this only if you trust your local ComfyUI and model setup. For sensitive or commercial images, tell the agent to save results locally only and not send them through Feishu or chat unless you explicitly approve; also keep image size and step counts within your GPU limits.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The documentation states that generated images are sent to users via Feishu, but the provided examples only save files locally or expose a localhost URL. This mismatch is security-relevant because the skill is advertised for privacy-sensitive local generation, yet the documented behavior implies an additional outbound transmission channel that users may not expect or consent to.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill emphasizes local/private image generation, but the output section says the image will be sent through Feishu without any explicit warning or consent flow. For prompts or generated images containing private, commercial, or sensitive content, this can create an unexpected data disclosure path that directly contradicts the skill's privacy-oriented positioning.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal