Back to skill

Security audit

Bytedance Ai Image Gen

Security checks across malware telemetry and agentic risk

Overview

This image-generation skill does what it advertises, but it is placed in Review because it pushes agents to run external, quota-consuming image calls without confirmation and stores sensitive prompt/image history locally.

Install only if you are comfortable with prompts and selected images being sent to Volcengine/ByteDance, API quota being used without an extra confirmation step, and prompts, reference image values, output URLs, temp copies, and generated files being stored locally. Use a dedicated low-privilege API key, avoid optional IAM keys unless usage sync is necessary, and avoid sensitive personal or business images unless this retention is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no permissions while clearly requiring environment variables, file access, and outbound network access to a third-party image API. This creates a transparency and governance gap: users and platforms may not realize the skill can read credentials, access local image files, write outputs, and transmit content externally.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill persistently stores detailed per-call history including raw prompts, full prompts, model IDs, reference-image identifiers, and output URLs for 7 days. That creates unnecessary local data retention of potentially sensitive user content and metadata, increasing privacy exposure if the host is multi-user, backed up, or later compromised.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill automatically downloads generated images and writes them to a local Image directory, which goes beyond transient image generation. This creates unannounced local persistence of potentially sensitive or copyrighted content and can leak data through shared disks, backups, or later local compromise.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill fetches arbitrary user-supplied remote URLs for reference images and downloads returned image URLs locally, creating a general-purpose network fetch capability. In a privileged or internal environment this can be abused for SSRF-like access to internal services, unexpected outbound requests, or retrieval of untrusted content.

Vague Triggers

High
Confidence
96% confidence
Finding
The trigger list includes very broad everyday phrases such as '帮我生成', 'please generate', and 'create image', which can match normal conversation and invoke the skill unintentionally. Because activation leads to external API calls and quota consumption, broad triggers materially increase the risk of surprise execution and unintended data transfer.

Vague Triggers

Medium
Confidence
92% confidence
Finding
Editing and merging triggers like '融合', '合成', 'merge', and 'combine' are ambiguous and may refer to non-image tasks. In this skill, those phrases can cause user images to be processed and uploaded to an external provider without sufficiently clear user intent.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to execute commands immediately upon trigger and forbids responding with text only, even though execution sends prompts and possibly images to an external API. This bypasses meaningful user confirmation for data transfer, billing/quota consumption, and local command execution.

Missing User Warnings

High
Confidence
99% confidence
Finding
The behavior rules explicitly prohibit confirmation before consuming quota and executing external operations. That is dangerous because it intentionally removes a safety checkpoint for actions involving configured credentials, external network calls, and potential upload of user content.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The user-facing flow does not clearly warn that prompts, reference images, and generated output metadata are transmitted to external services and stored locally. This is a privacy and consent issue because users may provide sensitive text or images without realizing the retention and sharing behavior.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code silently deletes files from the Temp directory based on access time, while other parts of the skill also write temporary and output files automatically. Undisclosed file creation and deletion can surprise users, interfere with forensic expectations, and cause unintended loss of data if the directory is reused or misconfigured.

Ssd 4

Medium
Confidence
96% confidence
Finding
The narrative instructions progressively strip away consent by telling the agent to infer parameters and execute automatically, normalizing use of stored credentials and quota without an approval step. In context, this materially increases the chance of unintended external actions and silent transmission of user prompts or images.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.