魔搭图片生成

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward ModelScope image-generation helper with disclosed API-key use, network calls, and local image output, though users should treat saved keys and prompts as sensitive.

Install only if you intend to use ModelScope for image generation. Prefer MODELSCOPE_API_KEY over --save-key on shared machines, avoid putting private information in prompts, and review or delete ~/.modelscope/api_key when you no longer need stored credentials.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (7)

Tainted flow: 'image_url' from requests.get (line 120, network input) → requests.get (network output)

Medium

Category: Data Flow
Content: image_url = data["output_images"][0] print(f"下载图片: {image_url}") img_resp = requests.get(image_url) img_resp.raise_for_status() image = Image.open(BytesIO(img_resp.content))
Confidence: 92% confidence
Finding: img_resp = requests.get(image_url)

Tainted flow: 'image_url' from requests.get (line 120, network input) → requests.get (network output)

Medium

Category: Data Flow
Content: image_url = data["output_images"][0] print(f"下载图片: {image_url}") img_resp = requests.get(image_url) img_resp.raise_for_status() image = Image.open(BytesIO(img_resp.content))
Confidence: 93% confidence
Finding: img_resp = requests.get(image_url)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill documentation describes capabilities to read environment variables, write local files, invoke shell commands, and make network requests, but it does not declare permissions or otherwise scope those actions. This creates a transparency and consent problem: an agent may use broader capabilities than users expect, including sending prompts to an external API and writing generated outputs locally.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The script includes a feature to persist the API key locally even though image generation itself only requires transient use of the credential. In an agent-skill context, unnecessary credential storage increases the blast radius of compromise because other local processes or future sessions may recover the key from disk.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger conditions are broad and overlap with common conversational phrases such as 'generate image' and general references to drawing or ModelScope. Overbroad activation can cause unintended skill invocation, leading to unsolicited external API calls, token usage, and file creation without the user clearly intending to use this specific skill.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill description explains how to call the ModelScope API and save outputs to local files, but it does not clearly warn users that their prompts will be transmitted to a third-party service and that files will be written locally. Missing disclosure undermines informed consent and can expose sensitive prompt contents, credentials handling, or unintended local data creation.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The --save-key functionality writes an API credential to a local file without an explicit warning that sensitive data will be stored on disk. Users may invoke it without understanding the persistence and exposure implications, especially in shared or agent-managed environments.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal