Image Craft

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only image generation skill with proportionate image and lookup tool use, though its broad trigger words may cause occasional unintended activation.

Safe to install for ordinary image-generation use. Avoid providing sensitive personal photos, confidential product images, IDs, or private documents as references, since the skill may analyze and pass them to image-generation tools; expect occasional public web lookups for visual details involving cities, landmarks, brands, or movie scenes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The manifest trigger keywords are very broad (`portrait`, `city`, `room`, `scene`, `style`, `product`, `brand`, `3D`) and overlap with ordinary conversation. That raises the risk of unintended skill activation, causing the agent to route benign requests into this skill, invoke tools, or generate outputs the user did not explicitly ask for.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The routing rules use underspecified single-word categories like `scene`, `movie`, `product`, `style`, and `character`, which are too ambiguous for reliable activation decisions. In practice this can misclassify normal user requests and trigger inappropriate tool use such as image analysis, UI flows, or external search without sufficiently explicit user intent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal