Security audit

intelligent-extension

Security checks across malware telemetry and agentic risk

Overview

This skill is a narrow Flyelep image-extension API helper; it sends image URLs and a user-provided API key to Flyelep, which is disclosed and fits its purpose.

Install only if you are comfortable sending the provided image URLs and your Flyelep API key to Flyelep. Use a dedicated/revocable key, avoid sensitive or private image URLs unless you trust Flyelep's handling of them, and do not store the real secretKey in the skill file or shared repositories.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

External Transmission

Medium

Category: Data Exfiltration
Content: **单张图片延展为横版 16:9：** ```bash curl -X POST "https://www.flyelep.cn/prod-api/poster-design/api/v1/poster/aiTool/intelligentExtension" \ -H "Content-Type: application/json" \ -H "secretKey: 你的密钥" \ --max-time 300 \
Confidence: 85% confidence
Finding: curl -X POST "https://www.flyelep.cn/prod-api/poster-design/api/v1/poster/aiTool/intelligentExtension" \ -H "Content-Type: application/json" \ -H "secretKey: 你的密钥" \ --max-time 300 \ -d '{

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal