Img2img

Security checks across malware telemetry and agentic risk

Overview

This image-generation skill is mostly purpose-aligned, but its JavaScript helper handles API keys less safely than necessary.

Review before installing. Use a dedicated OpenAI API key, avoid sensitive prompts, and prefer fixing or avoiding the JavaScript helper until TLS verification is restored and custom endpoint use is clearly controlled.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger phrases are very broad and match common user requests such as asking to draw or generate an image, which can cause the skill to activate unintentionally. This increases the chance of unexpected external API use, confusing behavior, or routing user requests into this skill when the user did not explicitly consent to image generation.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill says user descriptions will be sent to DALL-E but does not clearly warn users that their prompts are transmitted to an external service. If users include personal, confidential, or regulated data in prompts, that data may be disclosed to a third party without informed consent.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal