Gemini Image Simple

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: it sends prompts and optional images to Google's Gemini image API and saves the generated image locally.

Install only if you are comfortable sending prompts, selected input images, and related request data to Google's Gemini API under your API key. Use an API key intended for this purpose, monitor quota or billing, and choose output paths carefully to avoid overwriting important files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill tells users to provide prompts and optionally input images, but it does not clearly warn that both are transmitted to Google's Gemini API for processing. In this context, that omission is security-relevant because prompts and images may contain sensitive, proprietary, or personal data, and users could reasonably assume local processing due to the emphasis on 'pure Python stdlib' and zero dependencies.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal