Gemini TG Image Gen

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do its stated Telegram image-generation job, but it needs review because it can fetch unvalidated URLs from model output and may send unintended temporary files.

Review before installing. Use a revocable OpenRouter key, avoid sensitive prompts, verify the Telegram target, and prefer changing the workflow to send only exact returned file paths, delete temporary images after sending, and validate or allowlist downloaded image URLs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill requires access to environment variables and outbound network access, but does not declare those permissions. Undeclared capabilities reduce transparency and prevent proper policy enforcement, which can lead to accidental exposure of secrets such as OPENROUTER_API_KEY or unauthorized external communication. In this context, the skill explicitly calls an external API and reads a credential from env, so the mismatch is real and operationally relevant.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: The documented purpose says the skill generates an image and sends it to Telegram, but the described behavior includes saving files locally and potentially downloading arbitrary image URLs returned by the API. That mismatch is dangerous because hidden filesystem writes and retrieval of remote content expand the attack surface, including SSRF-like fetches, malicious file downloads, or persistence of sensitive/generated content without user awareness. The skill context increases risk because it handles untrusted prompts and external API responses, yet the behavior is not fully disclosed.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The trigger description is broad enough to activate on many generic image-related requests without clear boundaries. Over-broad invocation can cause unintended use of external services, unnecessary transmission of user prompts, and surprise generation/sending behavior in Telegram, especially when users did not explicitly consent to third-party processing. In a messaging skill that contacts external APIs, loose triggering materially raises privacy and misuse risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The markdown instructs sending user prompts and generated content to OpenRouter and then to Telegram, but provides no explicit privacy warning or consent language. This is dangerous because prompts may contain personal, confidential, or regulated data, and users may not realize that their content is transmitted to third-party services and stored or processed outside the local environment. The skill's external-network nature makes this a genuine privacy and compliance concern.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal