Security audit

Image Forge

Security checks across malware telemetry and agentic risk

Overview

This image-generation router is not malicious, but its bundled prompt libraries are broad enough to steer users into identity-document, celebrity-likeness, profiling, sexualized, and externally researched image workflows.

Install only after reviewing or pruning the bundled reference libraries. Avoid using it as a default image route with sensitive personal photos, real-person likenesses, government IDs, or private conversation context unless you have clear consent and trust the configured backend that will receive the data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (23)

Context-Inappropriate Capability

High

Confidence: 92% confidence
Finding: The reference library contains prompts for generating identity-verification imagery, including visible passports/IDs, which is outside the stated purpose of an image-routing/design skill. Even if framed as example content, embedding this capability normalizes high-risk identity-document generation and could facilitate impersonation, fraud workflows, or social-engineering assets.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The prompt library includes domains beyond generic product imaging, including person-based generation, fashion/model sheets, character conversions, and branded/copyright-adjacent recreations. In an image-generation gateway, this broad and unscoped content can steer agents into policy-sensitive outputs, IP infringement, or biometric/person-likeness workflows that exceed the declared purpose and increase abuse surface.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: This prompt repository is not limited to inert image prompts: it contains explicit instructions to perform web searches, gather data from external sites, and invoke other skills/tools such as slide generators. In an agent setting, that broadens the trust boundary from static prompt lookup to autonomous action orchestration, which can trigger unintended network access, cross-skill prompt injection, and policy bypass if the library content is treated as executable guidance.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The file includes numerous sexualized or exploitative body-focused prompt templates, including fetishized anatomy and revealing scenarios, which are unrelated to a routing hub’s stated purpose. This creates a reusable library for generating sexualized depictions and makes misuse easier, especially when combined with identity-reference prompts elsewhere in the same file.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The file includes numerous sexualized or exploitative body-focused prompt templates, including fetishized anatomy and revealing scenarios, which are unrelated to a routing hub’s stated purpose. This creates a reusable library for generating sexualized depictions and makes misuse easier, especially when combined with identity-reference prompts elsewhere in the same file.

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: The file includes a prompt that explicitly instructs gathering information about a named person domestically and internationally, inferring their character/background/worldview, and then generating an image from that profiling. That combines OSINT-style personal data aggregation with persona inference, which is dangerous because it enables profiling, targeted impersonation, and privacy-invasive generation workflows.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The file includes a prompt that explicitly instructs gathering information about a named person domestically and internationally, inferring their character/background/worldview, and then generating an image from that profiling. That combines OSINT-style personal data aggregation with persona inference, which is dangerous because it enables profiling, targeted impersonation, and privacy-invasive generation workflows.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: This file is a large prompt corpus containing many sexualized, voyeuristic, and celebrity-likeness prompts that go well beyond a neutral image-routing reference library. In a skill that is the mandatory image-generation entrypoint, bundling these prompts creates a high risk of unsafe outputs, policy circumvention by example, and generation of non-consensual likeness or fetishized content.

Description-Behavior Mismatch

Low

Confidence: 93% confidence
Finding: The manifest describes curated routing libraries, but this file behaves like an unbounded social-media prompt dump with many unrelated and unsafe exemplars. That mismatch is dangerous because it expands the effective behavior of the skill beyond its declared purpose, reducing auditability and increasing the chance that unsafe prompts are reused or recommended.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill supports editing and multi-reference workflows that send uploaded images to external backends, but it does not clearly warn users that their reference images will be transmitted off-box. This can expose sensitive, private, or regulated visual data without informed consent, especially because the skill markets itself as the default image entrypoint.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill writes generated outputs to fixed local filesystem locations, but this storage behavior is not prominently disclosed to users. Local persistence can leave sensitive or copyrighted images on disk longer than expected, creating confidentiality and retention risks on shared systems.

Natural-Language Policy Violations

Medium

Confidence: 86% confidence
Finding: Mandating translation of all Chinese input into English without user opt-in can alter meaning and send transformed user content to third-party services in a way the user did not request. For sensitive prompts, translation may leak or distort proper nouns, confidential terms, or safety-relevant wording.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The override phrases are broad and semantically common in normal image-generation requests, especially terms like “写实”, “真实照片”, or model names users may mention descriptively rather than as routing commands. In this skill, backend selection changes capabilities and output behavior, so accidental phrase matches can silently force a different provider than intended, creating prompt-routing confusion and potentially sending requests or reference images to an unintended backend.

Natural-Language Policy Violations

Medium

Confidence: 91% confidence
Finding: Several embedded prompts hard-code demographic attributes such as 'white American female model' without user request or consent. In a shared generation skill, this can cause biased, inappropriate, or noncompliant outputs and may override user intent in person-generation tasks, especially when paired with uploaded reference images.

Natural-Language Policy Violations

Medium

Confidence: 90% confidence
Finding: The file contains guidance such as 'Do not send Japanese prompts for image generation. Translate them into English before sending,' which imposes a language transformation without explicit user consent. In an agent skill, that can override user intent, alter meaning, leak translated content to downstream systems, and create prompt-integrity issues, especially for safety-sensitive or brand-sensitive text generation.

Natural-Language Policy Violations

Medium

Confidence: 91% confidence
Finding: The library repeatedly hard-codes ethnicity and similar protected or sensitive appearance constraints without clear necessity, such as 'East Asian,' 'Asian woman,' 'Japanese woman,' or other demographic locks. In a centralized image skill, this is risky because it normalizes demographic targeting and can support stereotyping, fetishized generation, or biased subject substitution across many user requests.

Natural-Language Policy Violations

Medium

Confidence: 89% confidence
Finding: Multiple prompts explicitly require Japanese text or 'perfect Japanese fonts' regardless of user preference. In a shared image-generation skill, this can override user intent, degrade output relevance, and create prompt-injection-like behavior where embedded reference content steers the model toward unwanted language output.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The edit path base64-encodes local image files and uploads them to a remote service, but the CLI provides no explicit consent prompt or strong warning that local file contents leave the machine. In this skill context, uploading reference images is expected functionality, but the lack of clear disclosure increases privacy risk when users supply sensitive local images assuming processing is local.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The 'others' use case includes very broad aliases such as '其他', '自由', '随便', 'others', and 'free', which can match vague user requests and cause this skill to be invoked when a more specific or safer routing target should have handled the request. In a routing hub that declares itself the only image-generation entry point, broad catch-all terms increase the risk of unintended interception, misclassification, and policy bypass through ambiguous phrasing.

Ssd 3

High

Confidence: 97% confidence
Finding: The file includes a prompt explicitly instructing creation of an image where a subject shows a passport/ID clearly to the camera with readable personal fields. In the context of a general image-generation skill, this is especially dangerous because it provides a turnkey template for generating synthetic identity-verification artifacts that may expose or fabricate sensitive PII and support fraud.

Ssd 4

Medium

Confidence: 98% confidence
Finding: The file also contains prompts specifying concealed lower-position viewing of unaware subjects, a classic voyeuristic framing often used to sexualize or exploit subjects without consent. Because this skill is positioned as the sole image entrypoint, retaining such examples materially increases the chance of harmful generations or prompt adaptation into abusive requests.

Ssd 4

Medium

Confidence: 98% confidence
Finding: The file also contains prompts specifying concealed lower-position viewing of unaware subjects, a classic voyeuristic framing often used to sexualize or exploit subjects without consent. Because this skill is positioned as the sole image entrypoint, retaining such examples materially increases the chance of harmful generations or prompt adaptation into abusive requests.

Ssd 3

Medium

Confidence: 95% confidence
Finding: At least one prompt instructs the model to 'choose one impressive word from my past conversation history,' which creates a real risk of pulling sensitive or unrelated prior-user data into generated output. In an agent skill that may have access to broader chat context, this can cause cross-turn privacy leakage and unintended disclosure of personal information.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal