Security audit

Main Image Editor

Security checks across malware telemetry and agentic risk

Overview

This PSD editing skill appears purpose-built, but its rollback and local-copy safety promises are weaker than documented, so users should review it before using it on real files.

Review before installing if you will use it on important PSD/PSB files. Start with dry-run, keep independent backups outside the tool, avoid force on low-confidence edits, and verify the referenced psd-automator dependency before allowing real file changes.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: In copyPsdLocal mode, the code intends to operate only on a temporary working copy so the original PSD is never modified. However, the retry path rebuilds the task from the original task object rather than the local-path-adjusted task, so a retry after E_LAYER_NOT_FOUND can target the original PSD and violate the isolation guarantee, causing unintended edits to the source file.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal