Back to skill

Security audit

CLIProxy Media

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises, but it sends selected images, PDFs, URLs, and prompts to the configured proxy or API endpoint.

Install only if you want image/PDF analysis routed through a CLIProxy-compatible endpoint you control or trust. Avoid sensitive, regulated, proprietary, or private documents unless that endpoint's access, logging, retention, and billing terms are acceptable, and do not let untrusted callers set CLIPROXY_URL or --url.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Tainted flow: 'req' from os.environ.get (line 205, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
)

    try:
        with urllib.request.urlopen(req, timeout=120) as resp:
            if stream:
                return stream_response(resp)
            else:
Confidence
96% confidence
Finding
with urllib.request.urlopen(req, timeout=120) as resp:

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill is presented as a CLIProxy-specific media analyzer, but the documentation broadens it to arbitrary Anthropic-format providers, including direct Anthropic use. This scope expansion can bypass user expectations, organizational routing controls, or cost/privacy assumptions tied to the proxy-only description.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script accepts arbitrary http/https URLs and passes them to the proxy as image URLs, even though the skill is framed as media-file analysis. This expands the trust boundary and can be abused to make the remote proxy fetch attacker-chosen resources, which may enable SSRF against networks reachable by the proxy or unintended retrieval of private URLs.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation guidance is broad enough to capture routine image/PDF analysis requests, steering users away from built-in tools toward an external proxy by default. In this context, that increases the chance of unintended data egress of sensitive files or documents when the user only asked for generic analysis.

Missing User Warnings

High
Confidence
98% confidence
Finding
The documentation encourages uploading local images/PDFs and passing URLs to a remote API endpoint without a clear warning that the content leaves the local environment. Because this skill handles potentially sensitive media and documents, missing disclosure materially increases privacy and confidentiality risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script base64-encodes local images/PDFs and sends them, along with the user's prompt, to a remote endpoint, but it does not prominently warn users that potentially sensitive documents and images leave the local machine. In a media-analysis skill, this is particularly relevant because PDFs and photos often contain confidential or personal data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.