seedream(doubao)-image-generation

Security checks across malware telemetry and agentic risk

Overview

This image-generation skill is purpose-aligned, but it needs review because it can upload local files, log sensitive prompts and paths, and send the API key to a configurable endpoint.

Install only if you trust the configured Seedream endpoint and are comfortable sending prompts and selected source images to that service. Keep SEEDREAM_BASE_URL unset or pointed only at the official trusted endpoint, use a limited API key, avoid sensitive local images, and treat console logs and returned results as potentially containing prompts, file paths, and uploaded image data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (10)

Tainted flow: 'req' from os.environ.get (line 150, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: input_params_for_return = payload try: with urllib.request.urlopen(req) as response: res_json = json.loads(response.read().decode("utf-8")) print("[seedream] response:", json.dumps(res_json, ensure_ascii=False))
Confidence: 96% confidence
Finding: with urllib.request.urlopen(req) as response:

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill declares required environment variables in metadata but does not declare explicit permissions despite clearly requiring network access and access to sensitive credentials. This weakens policy enforcement and reviewability, making it easier for a skill that can send data off-host to be installed or invoked without users fully understanding its capabilities.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill can download remote content from URLs returned by the external API and write it to a user-controlled `download_dir` on local disk. While not arbitrary internet download in the general case, it still creates files in attacker-influenced locations and extends the skill from pure API usage into local filesystem write behavior, which can lead to unwanted file creation, overwrites via symlink tricks, or persistence of untrusted content.

Context-Inappropriate Capability

Low

Confidence: 92% confidence
Finding: The code accepts arbitrary local image paths and reads them from disk, then later uploads their full contents to an external API. In an agent setting, that is a meaningful data-exfiltration surface because a prompt or tool caller could cause sensitive local files to be read if path restrictions are absent.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: The skill accepts and forwards a generic tools parameter, including examples such as web_search, even though the stated purpose is image generation. This broadens the model's effective capability surface beyond the manifest's scope and can enable unintended outbound data access or prompt-driven tool use that operators may not expect.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The description says the skill should be used for 'general visual creative tasks,' which is broader than the concrete API behavior and can cause over-invocation in contexts where users may not expect remote transmission of prompts or images. Overly broad routing language increases the chance the skill is selected for sensitive tasks, expanding the exposure of private content to a third-party service.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The markdown explains that local image paths are read, converted to base64, and sent in the request, but it does not present this as a prominent user warning or privacy/security notice. In practice, users may provide local files containing sensitive or proprietary data without realizing they are being uploaded to a remote API, creating a meaningful confidentiality risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The function logs the full input parameters, including local image paths, before making the network request. Those logs may expose sensitive filesystem structure, filenames, or user-provided prompts to logging backends and operators without any minimization or warning.

Missing User Warnings

High

Confidence: 98% confidence
Finding: This code reads local files, converts them to base64, and transmits them to an external service. In the context of an agent skill, that is a high-risk privacy and exfiltration issue because any accessible local file passed as `image` is sent off-host, and the skill does not enforce path restrictions or provide explicit user confirmation.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill writes downloaded remote images to disk without an explicit warning or consent mechanism. Even though the content originates from the configured image API workflow, saving untrusted remote content locally can surprise users, consume storage, and create risk if other components later process those files unsafely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal