Back to skill

Security audit

design pick2

Security checks across malware telemetry and agentic risk

Overview

This food-collage skill includes an under-disclosed generic Cloudflare image generator with an exposed bearer token and unsafe shell execution.

Review before installing. The documented collage script is narrow, but the package also contains an under-disclosed external image-generation helper with an exposed API token and unsafe shell command construction. Install only if you trust the publisher and are comfortable with prompts being sent to Cloudflare if that helper is used; the publisher should remove the token, disclose external AI use, and replace shell command construction with a safer API call.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
-H "Content-Type: application/json" \
      -d '{json.dumps({"prompt": prompt})}' > /tmp/cf_response.json'''
    
    subprocess.run(cmd, shell=True)
    
    with open('/tmp/cf_response.json', 'r') as f:
        data = json.load(f)
Confidence
98% confidence
Finding
subprocess.run(cmd, shell=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill advertises and invokes a local script with shell/file-read capabilities but does not declare any permissions, creating a transparency and control gap. Undeclared capabilities make it harder for the host or reviewer to enforce least privilege and can conceal risky behavior from users and policy checks.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose is a narrowly scoped food-collage generator, but the implementation reportedly supports arbitrary image generation through an external Cloudflare Workers AI service and uses hardcoded API credentials. This mismatch is dangerous because it hides data exfiltration and network behavior behind an innocuous description, and embedded credentials can be abused if exposed or reused.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Using shell command execution is unnecessary for the stated purpose and materially increases risk because the prompt is incorporated into the shell command. In this skill context, users are expected to supply free-form text prompts, which makes injection risk more dangerous than in a fixed-input workflow.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script silently transmits the user's prompt to a third-party service without any disclosure, consent, or warning. In a skill marketed around curated food collages, users may not reasonably expect their free-form input to be sent off-platform, creating privacy and compliance risk.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The file contains hardcoded Cloudflare account credentials and bearer token. Embedded secrets can be extracted by anyone with code access, enabling unauthorized API use, billing abuse, service impersonation, or broader compromise depending on token scope.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.