豆包AI图像生成

Security checks across malware telemetry and agentic risk

Overview

This skill is mainly an image generator, but it explicitly instructs human-like browser automation to avoid bot detection and may send generated images to external destinations.

Install only if you are comfortable with browser automation against Doubao and have checked whether that use is allowed by the service. Avoid sensitive prompts or images, confirm the exact Feishu or other delivery destination before sending, and periodically delete saved files from /workspace/ai_images/doubao/ if retention is not needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly states that generated images are stored locally and may be sent to Feishu or another destination, but it does not warn the user about this data handling behavior before use. That creates a meaningful privacy and data-exfiltration risk because prompts or generated images may contain sensitive business, personal, or regulated content that is persisted and then transmitted to third-party systems.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal