wan-text2image

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward DashScope text-to-image helper, with expected cloud API use but some privacy and input-handling caveats.

Install this only if you intend to use Alibaba Cloud DashScope for image generation. Avoid putting secrets, private data, or confidential prompts into requests, use a revocable API key where possible, and be aware that unusual quotes or JSON-like text in prompts may cause malformed or unexpected API requests.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger conditions are broad enough to match many generic image-generation requests, which can cause the skill to activate in situations where the user did not specifically intend to use this third-party service. In context, that matters because activation leads to external API use and potential data transfer, so over-broad routing increases privacy and consent risk.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation describes the remote API endpoint and required API key, but it does not clearly warn that user prompts and related content will be transmitted to DashScope. This is a real privacy and data-handling issue because users may enter sensitive text, assuming local processing, when in fact their content is sent to a third party.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal