Back to skill

Security audit

Pixr Cli

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent guide for using a local Pixr image CLI, with disclosed local configuration changes and no bundled executable code.

Install this only if you intend to use and trust the local `pixr` CLI. Review state-changing requests such as model, profile, and save-directory changes, and avoid placing API keys or sensitive images in prompts or shared files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
This manifest enables implicit invocation and describes activation as using the pixr CLI to "generate or configure images," but it does not provide specific trigger phrases, scope limits, or exclusion conditions. That broad wording could overlap with common user requests about images and cause unintended skill activation.

Session Persistence

Medium
Category
Rogue Agent
Content
- "generate an image with pixr"
- "edit an image with pixr"
- "create variations with pixr"
- "set the pixr model"
- "save images to a default folder"
- "use the refs from ~/.pixr/assets"
Confidence
60% confidence
Finding
create variations with pixr" - "set the pixr model" - "save images to a default folder" - "use the refs from ~/.pixr/assets" - "init a pixr profile" - "make a profile use a different model or save dir

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.