Back to skill

Security audit

Scrapbook-Style Illustration Inserter

Security checks across malware telemetry and agentic risk

Overview

This image-generation skill is purpose-aligned, but it needs review because it reads broad local credential files and shows unsafe shell-style execution patterns for generated text.

Review before installing. Use only a dedicated GLM_API_KEY or OPENROUTER_API_KEY, avoid storing unrelated secrets in generic api_key, ~/.claude/config.json, or ~/.env where this script can read them, and do not run it on confidential articles unless you accept the selected provider receiving article-derived prompts. Agents should invoke generate.py with safe structured arguments rather than interpolating generated text into shell commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (9)

Tainted flow: 'image_url' from requests.post (line 191, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
filename = f"{timestamp}_{safe_prompt}.png"
    filepath = os.path.join(output_dir, filename)

    img_response = requests.get(image_url, timeout=60)
    img_response.raise_for_status()
    with open(filepath, "wb") as f:
        f.write(img_response.content)
Confidence
90% confidence
Finding
img_response = requests.get(image_url, timeout=60)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill instructs the agent to access environment/config secrets and make outbound network calls to external providers, but it does not declare those capabilities as permissions. This creates a transparency and governance gap: users and the platform may not realize the skill can read API keys and transmit article-derived content off-box.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill searches multiple global config files and home-directory .env files for credentials, reaching beyond the skill's own scoped configuration. In an agent environment, this broad secret-discovery behavior increases the chance of harvesting unrelated credentials from the host and normalizes access to secrets the user did not explicitly provide to this skill.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The README suggests very broad, natural phrases such as 'Add images to my post' and 'Generate pictures for this content', which can overlap with ordinary user requests and increase the chance the skill is invoked unintentionally. In a skill that sends article text to an external image-generation service, accidental invocation can lead to unintended data disclosure and unapproved content transformation.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README describes external GLM image generation but does not clearly warn that article content or derived prompts may be sent to a third-party API. This creates a meaningful privacy and compliance risk because users may provide unpublished, sensitive, or proprietary article text without realizing it will leave the local environment.

Natural-Language Policy Violations

Medium
Confidence
81% confidence
Finding
Defaulting image text language to Chinese without explicit user selection can produce outputs the user did not request, especially for English or multilingual articles. While primarily a correctness and UX issue, it can also cause misleading published content and unexpected external prompt behavior if users assume language follows the source article automatically.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The activation phrases are broad enough to match common requests about adding images, which can cause the skill to trigger in situations where the user did not intend external image generation or data sharing. In context, that increases the chance of accidental invocation and unintended transmission of article content to third-party APIs.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill does not clearly warn that article content, or detailed derivatives of it, will be sent to external providers like GLM or OpenRouter. For private, proprietary, or regulated article content, this omission can lead to unintentional exfiltration to third parties and associated privacy/compliance risk.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrases are broad enough to match ordinary user requests that may not clearly signal consent to invoke this skill. In a skill with exec permission and external image-generation behavior, overbroad activation increases the chance of unintended execution, unnecessary external data sharing, or unexpected costs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal