Back to skill

Security audit

image-collect

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed image OCR collector that stores results locally, with privacy and URL-fetching cautions but no artifact-backed deception or exfiltration.

Install only if you are comfortable with image files and extracted OCR text being retained locally. Do not use it on secrets, IDs, medical or financial documents, private local paths, or internal network URLs unless that retention and network access are intentional.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill declares no permissions even though its behavior indicates access to environment capabilities. Undeclared capabilities reduce transparency and can hide access to sensitive configuration or secrets from users and reviewers, especially in a skill that also downloads remote content and writes local data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose understates important behaviors: fetching remote URLs, performing OCR with a specific model, and persisting extracted data in a local JSON database. This mismatch prevents informed consent and security review, and can lead users to expose internal resources or sensitive image contents without realizing the skill downloads and stores them.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill description says it operates on an image and saves knowledge locally, but the implementation also fetches arbitrary remote URLs. That expands the trust boundary and can trigger unintended outbound network access, including access to internal or sensitive endpoints if an attacker controls the input URL. In this context, the mismatch between declared local behavior and actual network behavior makes the capability more dangerous because users may not expect any remote fetch at all.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Downloading user-supplied URLs is a real security-relevant capability that is not necessary for a strictly local image-processing skill as described. Accepting arbitrary URLs can be abused for SSRF-style requests, unexpected data transfer, and retrieval of malicious or oversized content that stresses the host. The skill context makes this more concerning because the stated purpose implies local-only processing, so operators may not apply network controls they otherwise would.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The command examples and description omit a clear warning that the skill downloads remote images and appends extracted content to persistent local storage. This is dangerous because users may pass sensitive URLs or images without understanding that both the source asset and derived OCR text will be retained locally, increasing privacy and data leakage risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code stores full OCR text, summary, keywords, and the image path in a persistent local JSON database without any retention notice or minimization. OCR output can contain highly sensitive information extracted from IDs, receipts, medical documents, or screenshots, so silent persistence increases privacy and data-exposure risk if the host is shared or later compromised. Because this skill is specifically designed to extract knowledge from images, the likelihood of handling sensitive content is substantial.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
When given an HTTP(S) URL, the skill sends that user-provided value to a remote server, creating an outbound network interaction that is not clearly disclosed. This can leak browsing targets or sensitive query parameters embedded in URLs and may surprise users who believed processing was local. In this skill's context, the undocumented network transmission is more dangerous because the metadata explicitly frames the operation as local saving of extracted knowledge.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/index.js:12