goods-images

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent product-image generation helper; it writes image files locally as part of its stated workflow but does not show hidden, destructive, or exfiltrating behavior.

Before installing, be aware that the skill may save uploaded product images and generated outputs to /tmp/product-details/ on the local machine. Avoid using it with highly confidential unreleased product photos unless local temporary storage is acceptable, and delete the folder after use if those files should not remain.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly directs saving both user-provided images and generated outputs under /tmp/product-details/ without any disclosure, consent, retention limit, or cleanup policy for all artifacts. Even though /tmp is temporary by convention, local writes can expose sensitive user images to other processes, later sessions, backups, or debugging workflows if files persist longer than expected.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal