Security audit

Image Craft

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only image generation skill with broad but disclosed routing and no evidence of hidden, destructive, or persistent behavior.

Install if you want a broad image-generation helper, but avoid providing private photos, confidential product concepts, or sensitive logos unless you are comfortable having them processed by image tools and possibly combined with public web lookup for context.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger keywords are extremely broad and include common terms like 'product,' 'brand,' 'room,' 'style,' and '3D,' which can cause accidental invocation outside the user's intended context. Unintended activation can route unrelated conversations into this skill, increasing the chance of inappropriate tool use, surprising behavior, or policy bypass through misclassification.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The routing rules map highly ambiguous generic words like 'scene,' 'room,' 'product,' 'brand,' and 'style' to tool-enabled generation paths without requiring clear user intent. In practice, this can cause the skill to seize control of ordinary conversations and invoke image-analysis, search, or generation workflows on weak signals, which broadens the attack surface and raises the risk of unintended external actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.