Ai Image Team

Security checks across malware telemetry and agentic risk

Overview

This is a coherent e-commerce image-generation workflow, with local history logging and external/helper-tool use that users should understand before installing.

Install only if you are comfortable with image prompts and product details being used by the configured generation tools and retained in local history files. Avoid confidential campaign, customer, or unreleased product data unless local retention and any provider-side handling are acceptable, and do not rely on the built-in reviewer as a real visual safety or quality gate.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The function claims to perform image quality inspection, but it never analyzes image content and instead returns mostly fixed scores. In a workflow that treats this agent as a quality gate, bad, malformed, or policy-violating outputs could be incorrectly approved, creating integrity and safety failures through false assurance.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The module-level framing presents the agent as an always-on quality reviewer and final delivery gatekeeper, but the implementation is only a simplified heuristic placeholder. This mismatch is dangerous because downstream systems or operators may rely on it for approval decisions that it is not technically capable of making.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The README advertises a very broad natural-language trigger ('帮我生成一张电商海报...') that can cause automatic multi-agent execution from ordinary conversational input. In an agent environment, overly generic triggers increase the chance of unintended skill activation, which can launch tool use or downstream actions without sufficiently explicit user intent.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README states that all project records are stored in a persistent memory file, but it provides no warning, consent flow, retention limit, or guidance on what data may be recorded. Because this skill processes user creative requests that may include business plans, product details, or unpublished marketing assets, silent persistence creates a real privacy and data-governance risk.

Vague Triggers

Medium

Confidence: 76% confidence
Finding: The invocation examples are phrased as ordinary user requests like '帮我生成一张电商海报…', which can overlap with everyday conversation and cause the skill to trigger unintentionally in systems that route by semantic similarity. Unintended activation is risky here because the skill may launch a multi-agent workflow, consume paid generation resources, invoke external tools, or write project history automatically.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill explicitly supports a '全自动模式（默认）' that completes the full workflow from user input to delivery without a clear warning or approval checkpoint. In context, this means planning, image generation, quality review, file writes, and possible external API/tool calls may all happen automatically, increasing the chance of unintended actions, cost incurrence, or unsafe prompt/tool execution.

Missing User Warnings

Low

Confidence: 97% confidence
Finding: The skill appends project metadata to a local markdown file automatically, without user consent, visibility, or retention controls. Even though it stores limited fields, those fields may still reveal sensitive business activity, product plans, workflow timestamps, and usage patterns, creating an unnecessary privacy and confidentiality risk on shared or multi-tenant systems.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The agent persistently stores raw prompts, negative prompts, output paths, and model metadata to a JSON history file without any consent, minimization, redaction, or retention controls beyond a simple cap of 100 entries. Prompts can easily contain sensitive business data, personal data, or confidential creative instructions, so local plaintext persistence creates avoidable confidentiality and privacy risk if the host, logs, backups, or shared workspace are accessed by others.

Natural-Language Policy Violations

Medium

Confidence: 88% confidence
Finding: The manifest hard-codes Chinese language settings for both input and config without any indication that users can choose or override the locale. This can lead to consent and usability issues, and in multi-user or international environments may cause the skill to process requests in an unexpected language, increasing the risk of misinterpretation of user intent or misleading outputs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal