Back to skill

Security audit

Ms Qwen Vl

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it analyzes user-selected images through ModelScope, with privacy and dependency cautions but no evidence of hidden or malicious behavior.

Install only if you are comfortable sending the images and prompts you choose to ModelScope for processing. Avoid using it on sensitive screenshots, IDs, invoices, workplace documents, or regulated data unless you have authorization. Keep the API key in a protected environment variable or scripts/.env file, and use a virtual environment with current patched dependency versions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill instructs the agent to use environment-stored secrets and to run a local Python script that processes user-supplied local files, but it does not declare corresponding permissions. Undeclared env/file capabilities weaken reviewability and consent boundaries, increasing the chance that users or platforms authorize behavior they did not clearly expect.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly promotes sending local images and image URLs to a remote ModelScope/Qwen3-VL API, but it does not warn users that image contents will leave the local environment and be processed by a third-party service. This can lead to accidental disclosure of sensitive screenshots, documents, IDs, or internal visuals, especially because the skill is framed as a convenient local-image analysis tool.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This skill processes local images and remote image URLs by sending their contents to an external ModelScope API, but the description does not clearly warn users about that data transfer. For local screenshots, OCR, invoices, and desktop images, this can expose sensitive personal, financial, or workplace information to a third-party service without sufficiently informed consent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide demonstrates sending image content and user prompts to a third-party remote API endpoint, but it does not warn users that images, extracted text, and prompts may contain sensitive data and will leave the local environment. In a multimodal vision skill, this omission is meaningful because users may submit screenshots, IDs, documents, or other private images without realizing they are being transmitted to an external provider.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script reads local image files, base64-encodes them, and transmits the full content to a remote ModelScope API, but it does not provide an explicit warning, confirmation, or guardrail about external data transfer. In an agent-skill context, users may assume a local OCR/vision operation and accidentally exfiltrate sensitive screenshots, IDs, invoices, or documents to a third party.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 安装方式: pip install -r requirements.txt

# OpenAI SDK (用于调用 ModelScope API)
openai>=1.0.0

# 图像处理库
Pillow>=9.0.0
Confidence
97% confidence
Finding
openai>=1.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
openai>=1.0.0

# 图像处理库
Pillow>=9.0.0

# 环境变量加载
python-dotenv>=1.0.0
Confidence
99% confidence
Finding
Pillow>=9.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
Pillow>=9.0.0

# 环境变量加载
python-dotenv>=1.0.0
Confidence
94% confidence
Finding
python-dotenv>=1.0.0

Known Vulnerable Dependency: Pillow==9.0.0 — 10 advisory(ies): CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2024-28219 (Pillow buffer overflow vulnerability); CVE-2023-44271 (Pillow Denial of Service vulnerability) +7 more

Critical
Category
Supply Chain
Confidence
98% confidence
Finding
Pillow==9.0.0

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.