Missing User Warnings
Medium
- Confidence
- 96% confidence
- Finding
- The skill explicitly instructs the agent to upload a local user-supplied image to the vendor's external service using `ima upload`, but it does not require a clear user-facing disclosure or confirmation before that transfer occurs. This is a real data-handling vulnerability because local files may contain sensitive visual content or metadata, and users may reasonably expect local analysis rather than automatic transmission to a third party.
