Security audit

VisHalo AI Creative Image Companion

Security checks across malware telemetry and agentic risk

Overview

This is a document-only creative prompt helper with broad activation keywords but no code, credential use, persistence, or hidden actions.

This appears safe to install as a prompt-and-briefing helper. Be aware it may trigger on generic AI image or video requests, and treat the listed VisHalo/GitHub links as external resources outside the document-only skill itself.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The manifest lists generic trigger keywords such as "ai image", "creative automation", and "ai video" without any narrowing context or exclusion conditions. These phrases overlap with common creative-workflow requests and may invoke the skill in situations unrelated to this specific VisHalo companion.

Natural-Language Policy Violations

Low

Confidence: 84% confidence
Finding: The manifest sets the skill language to "en", which can indicate an English-only constraint, but there is no accompanying note that users may choose another language or that the restriction is required for a specific region or compliance purpose. This may violate language/locale policy expectations when no opt-in or justification is provided.

VirusTotal

2/64 vendors flagged this skill as malicious, and 62/64 flagged it as clean.

View on VirusTotal