SnapOG

Security checks across malware telemetry and agentic risk

Overview

SnapOG is a straightforward image-generation helper that uses a disclosed third-party API and API key, with privacy and webhook cautions users should understand.

Install only if you are comfortable giving the agent access to a SnapOG API key and sending generation text, titles, tags, image/logo URLs, and template parameters to SnapOG. Use webhook URLs only when you control or trust the destination, avoid secrets or sensitive internal content in generated images and URLs, and monitor API usage if the account has quota or billing impact.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill directs users to send user-provided content and an optional webhook URL to a third-party service, but gives no warning that prompts, image inputs, and callback endpoints leave the local environment. This creates real privacy and SSRF-style risk in agent contexts, especially if untrusted users can influence `webhook_url` or sensitive internal URLs are supplied.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The documentation instructs use of a bearer token from `SNAPOG_API_KEY` in outbound requests without any guidance on secret handling, redaction, or safe storage. In agent/tooling environments, this can lead to accidental exposure in logs, transcripts, error messages, or copied examples.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal