Security audit

autoGenImageSkill

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed image-generation helper that uses user-provided OpenAI, proxy, or relay credentials and saves generated PNG files locally.

Install only if you are comfortable sending prompts and selected images to the configured OpenAI, proxy, or relay service. Use scoped or disposable credentials where possible, avoid sensitive images with untrusted relays, and require explicit confirmation in your agent workflow before using reserved mode or redeeming purchase keys.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill is presented as an image-generation helper, but the CLI also exposes account/session lifecycle functions such as session creation, purchase-key redemption, and quota inspection. That scope expansion increases trust and attack surface because invoking the skill can affect billing/stateful user identity on an external relay, not just generate an image.

Context-Inappropriate Capability

Medium

Confidence: 85% confidence
Finding: The script stores relay session data, including service URL, user ID, and profile name, in a predictable file under the user's home directory. Persisting identity/state for a skill whose stated purpose is image generation creates unnecessary privacy and cross-session tracking risk, especially if the file inherits weak filesystem permissions or is reused without clear user awareness.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The default prompt uses a very broad trigger phrase ('Use $autoGenImageSkill to generate an image from a prompt') that can overlap with ordinary user requests for image generation. In a system with implicit invocation enabled, this increases the chance of unintended skill activation, which could route requests through external API keys, proxies, or reserved-capacity relays without sufficiently explicit user intent.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The reserved mode documentation explicitly describes sending user identifiers, profile names, purchase keys, and image content to a relay service, but it does not clearly warn that this data leaves the local environment and may be processed by a third party. In a skill that handles image generation and image-to-image uploads, omission of a privacy/transmission warning can cause users to unknowingly disclose sensitive prompts, images, or account-linked metadata.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The code validates and consumes a purchase key immediately once provided, with no interactive confirmation or dry-run step. In a skill context, this can silently spend prepaid value or bind entitlement to a session/user, creating financial impact from accidental or induced invocation.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal