Back to skill

Security audit

pick your

Security checks across malware telemetry and agentic risk

Overview

The visible collage tool is narrow, but the bundle also includes an undisclosed Cloudflare image-generation script with embedded credentials and unsafe shell execution.

Review before installing. The local collage script appears purpose-aligned, but the bundled Cloudflare helper should be removed or fully disclosed, the embedded token should be rotated, and the curl shell invocation should be replaced with a safer structured API call before trusting the package.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
-H "Content-Type: application/json" \
      -d '{json.dumps({"prompt": prompt})}' > /tmp/cf_response.json'''
    
    subprocess.run(cmd, shell=True)
    
    with open('/tmp/cf_response.json', 'r') as f:
        data = json.load(f)
Confidence
98% confidence
Finding
subprocess.run(cmd, shell=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill advertises no permissions, yet its documented behavior and detected capabilities include file reading and shell execution. Undeclared execution capabilities reduce transparency and can let a seemingly simple collage skill invoke local scripts or access files in ways users and reviewers would not expect.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
This is a strong security issue because the skill's stated purpose is narrowly scoped food-collage generation, but the code reportedly performs arbitrary prompt-based image generation through an external Cloudflare API and includes hardcoded authentication credentials. Hidden external network use plus embedded secrets can enable unauthorized API abuse, data egress, and functionality far beyond what the user consented to.

Intent-Code Divergence

Medium
Confidence
76% confidence
Finding
Referencing a different script than the documented skill purpose is suspicious because it suggests copy-paste drift or hidden functionality not aligned with the advertised behavior. In security terms, inconsistent documentation can mislead operators into running unintended code paths and makes review of actual execution behavior less reliable.

Description-Behavior Mismatch

High
Confidence
84% confidence
Finding
The implementation is a generic external AI image generator, not a narrowly scoped food-collage tool as described in the skill metadata. This mismatch increases risk because users and reviewers may authorize a benign-looking collage skill while it actually transmits arbitrary prompts to a third-party image model.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The code sends user input to an external Cloudflare AI endpoint even though the skill is described as a narrowly themed collage generator. Unnecessary third-party API access broadens data exposure and capability beyond what the user would reasonably expect from the stated function.

Intent-Code Divergence

Medium
Confidence
74% confidence
Finding
The module and function documentation describe generic image generation rather than the promised collage-specific behavior. While not directly exploitable on its own, this misleading documentation contributes to unsafe deployment and review decisions by obscuring the actual capability and data flow.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
User-provided prompts are transmitted to a third-party API without any disclosure or consent mechanism in the execution path. In a skill marketed as a simple food collage generator, that undisclosed data transfer is more concerning because users may not expect their input to leave the local environment.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The script writes API response data to /tmp and saves generated images to disk without explicit notice or confirmation. This can create privacy and operational risks, especially on shared systems where temporary files or output artifacts may persist unexpectedly.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.