Image Nuke - Nuclear Metadata Cleanser

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local image transformer, but it promotes anti-forensic image alteration and can automatically install unpinned Python packages when run.

Install only if you intentionally want a lossy local image transformer, not a simple metadata scrubber. Run it in an isolated environment after installing dependencies yourself, keep originals, avoid evidentiary or archival images, and do not rely on its claims of forensic untraceability.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: import numpy as np except ImportError: print("Installing dependencies...") os.system("pip install Pillow numpy") from PIL import Image, ImageFilter, ImageEnhance import numpy as np
Confidence: 98% confidence
Finding: os.system("pip install Pillow numpy")

Lp3

Medium

Category: MCP Least Privilege
Confidence: 82% confidence
Finding: The skill advertises and demonstrates shell-capable execution via python3 commands, but the manifest declares no explicit permissions or user-consent boundary for code execution. This creates a transparency and policy gap: users and hosting platforms may underestimate that invoking the skill causes local program execution and file-processing actions.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The documented purpose frames the tool as metadata stripping, but the behavior described extends into anti-forensic image alteration, bulk processing, format conversion, and even package installation via shell calls. That mismatch is dangerous because users may consent to benign sanitization while actually triggering destructive transformations and broader system-side effects they were not clearly warned about.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Auto-installing dependencies by spawning a shell is unrelated to the core task of local metadata stripping and expands the skill's behavior beyond what a user would reasonably expect. In an automated agent environment, this can modify the host system, pull untrusted code from package repositories, and create a stealthy path for unwanted networked side effects.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The skill goes beyond metadata removal and deliberately alters image pixels through noise injection, color shifts, micro-cropping, and encoding randomization to reduce reverse-image matching. In context, the stated goal of making images 'forensically untraceable' materially increases danger because it is tailored to evade attribution and content-tracking systems rather than simply protect privacy.

Natural-Language Policy Violations

High

Confidence: 98% confidence
Finding: The skill explicitly promotes making images 'forensically untraceable' and 'reverse image search resistant,' which is anti-forensic positioning rather than ordinary privacy protection. In this context, the language materially increases risk because it encourages evasion of attribution, provenance tracking, and investigative analysis.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The usage and notes fail to clearly warn that the tool irreversibly alters image pixels, may change dimensions, and always converts outputs to JPEG. This is dangerous because users may unknowingly destroy evidentiary integrity, lose alpha/color/profile information, or corrupt datasets when they expected only metadata sanitization.

Natural-Language Policy Violations

High

Confidence: 97% confidence
Finding: Repeated anti-forensic messaging normalizes and incentivizes use of the skill for concealment rather than benign privacy hygiene. Because the surrounding context emphasizes noise injection, randomized re-encoding, and hash-changing behavior, the skill is more dangerous than a standard metadata scrubber and can facilitate evasion of detection or attribution workflows.

Natural-Language Policy Violations

High

Confidence: 99% confidence
Finding: The docstring explicitly markets the tool as making images 'forensically untraceable' and 'reverse image search resistant,' which signals intent to evade investigation and attribution. In context, this is not harmless marketing language: it aligns directly with the implemented anti-forensic content modifications, making the skill substantially more dangerous than a normal privacy-preserving metadata stripper.

Natural-Language Policy Violations

High

Confidence: 98% confidence
Finding: The inline comments state that image modifications are intended to 'break exact dimension matching' and make matching harder, which evidences deliberate evasion design. This context increases severity because the code is not accidentally transforming files; it is purpose-built to frustrate reverse-search and forensic correlation workflows.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal