keevx-image-generate

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Keevx image-generation helper, but users should understand that prompts, selected images, and optional callback results are sent outside the local machine.

Install only if you are comfortable sharing the prompts and reference images you choose with Keevx. Use a revocable API key if available, avoid confidential or regulated images unless approved for that provider, and provide callback URLs only for endpoints you control and trust.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs users to upload local files and send prompts or reference image URLs to a third-party API, but it does not clearly warn that user content will leave the local environment. This creates a real privacy and data-handling risk because users may unknowingly transmit sensitive images, metadata, or confidential prompt content to an external service.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The optional callback_url parameter allows generated task results to be POSTed to a user-specified endpoint, but the skill does not warn that this causes data to be sent onward to another destination. That omission can lead to accidental exfiltration of image URLs, task identifiers, or status data to untrusted or attacker-controlled endpoints.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal