Back to skill

Security audit

九马免费文生图

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent for Jiuma text-to-image generation, but users should know it sends prompts to Jiuma and can save a Jiuma API key locally in plain text.

Before installing, be comfortable with sending image prompts and task metadata to Jiuma's remote service. If you use the login flow, protect the saved plaintext key file, avoid shared or synced workspaces for it, and delete or rotate the key if it may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The file implements login bootstrap and account-linking behavior in a skill advertised as free image generation, which expands the trust boundary beyond the stated purpose. This can surprise users into authenticating with a third-party service and enabling persistent access tokens/API access in a context where they may only expect prompt-to-image generation.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill persists the Jiuma API key to a predictable file under the local project tree without any protection, rotation, or stated necessity beyond convenience. Storing credentials on disk increases the chance of disclosure to other local users, backups, logs, or accidental packaging of the skill directory, and this persistence is not clearly required by the stated image-generation purpose.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation presents command usage for obtaining and storing an API key before clearly warning that the credential will be written to local disk in plain-text form. This can lead users to run the workflow without informed consent, increasing the chance of credential exposure through shared workspaces, backups, logs, or other local access paths.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill retrieves a secret API key and automatically includes it in outbound requests to a third-party service, but the code shown provides no user-facing disclosure that a remote provider will receive requests authenticated with the operator's credential. While this is normal for API integrations, it creates transparency and consent issues and increases risk if users assume processing is local or if the key is overprivileged.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
User-supplied prompt text is sent directly to a third-party API for image generation without any explicit consent prompt or disclosure in the execution flow. This can expose sensitive, personal, or confidential user content to an external processor, especially because prompts may contain proprietary or private information.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code saves the returned secret_key via save_jiuma_api_key() immediately after login status succeeds, without any visible warning, consent, storage details, or confirmation to the user. Silent persistence of an API credential is risky because a compromised host, insecure storage implementation, or shared environment could expose the key and allow unauthorized use of the user's Jiuma account/API quota.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill clearly documents sending user prompts and task identifiers to external Jiuma API endpoints, but it does not present a prominent user-facing disclosure or consent warning at the point of use. This creates a privacy risk because users may provide sensitive prompts or identifiers without understanding that their data will leave the local environment and be processed by a third party.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code writes the API key directly to disk with no user-facing notice, consent, or indication that credentials will be retained locally. Silent credential persistence is risky because users may assume the key is used only in-memory, while the saved file can later be accessed by other processes, users, or included in filesystem syncs and archives.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The helper sends arbitrary data, headers, and files to a remote endpoint via POST, which means prompts, attached files, or credentials may leave the local environment. For an image-generation skill, remote API calls are expected, so this is less suspicious than in unrelated skills, but the lack of explicit disclosure and apparent absence of destination validation still creates a privacy and data-handling risk.

Ssd 3

Medium
Confidence
95% confidence
Finding
The instruction to record the skill into memory for later use encourages persistent retention of information without any data-minimization boundary. In an agent environment, this can lead to unnecessary long-term storage of user preferences, usage context, or related metadata, increasing privacy exposure and the blast radius of future compromise or misuse.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.