Back to skill

Security audit

Image Utils

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Pillow image-processing skill with disclosed URL loading, local file saving, and an optional Bria API example, but users should be careful with remote URLs and external API prompts.

Install only if you are comfortable with a helper that can download images from arbitrary URLs, parse them with Pillow, and save processed files locally. Avoid using private/internal URLs, sensitive images, or confidential prompts unless that data is intended for the remote service, and treat the Bria example as an explicit third-party API call.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill documentation advertises network-capable behaviors such as loading images from URLs and installing/using a separate remote AI skill, yet the skill declares no permissions reflecting network use. This can mislead users and policy enforcement about the skill's true operational scope, increasing the chance of unexpected outbound requests and unsafe handling of untrusted remote content.

Description-Behavior Mismatch

Low
Confidence
76% confidence
Finding
The documentation extends the skill from local deterministic image manipulation into arbitrary URL-based downloading, which materially broadens the trust boundary. Even if intended for convenience, this scope expansion can enable fetching attacker-controlled content and surprise users who expect only local processing.

Context-Inappropriate Capability

Low
Confidence
72% confidence
Finding
Including arbitrary remote image fetching in a Pillow utility skill adds external I/O behavior not obviously necessary for a classic local image-processing tool. That creates additional exposure to malicious files, privacy leaks through outbound requests, and user confusion about where data is sourced from.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The utility’s advertised scope is deterministic local image processing, but `load()` also accepts arbitrary HTTP/HTTPS URLs and delegates to `load_from_url()`. That expands the trust boundary and can enable server-side request forgery, unintended network access, and ingestion of untrusted remote content in environments where this skill is expected to operate only on local or already-provided image data.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
`load_from_url()` performs arbitrary outbound HTTP requests on caller-supplied URLs with no destination validation. In agent or hosted environments, this can be abused for SSRF-style access to internal services, cloud metadata endpoints, or other restricted network resources, and it also pulls attacker-controlled bytes directly into Pillow for parsing.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The examples demonstrate downloading remote content and writing output files without warning users that these actions touch the network and modify the local filesystem. In practice, users may run such snippets against untrusted URLs or sensitive directories without understanding the risks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The Bria integration example transmits prompts and credentials to an external API but does not disclose that user data leaves the local environment. This can lead to accidental sharing of sensitive prompts, images, or API tokens with a third party, especially in environments expecting offline-only image utilities.

External Transmission

Medium
Category
Data Exfiltration
Content
from image_utils import ImageUtils

# Generate with Bria AI (see bria-ai skill for full API reference)
response = requests.post(
    "https://engine.prod.bria-api.com/v2/image/generate",
    headers={"api_token": BRIA_API_KEY, "Content-Type": "application/json"},
    json={"prompt": "product photo of headphones", "aspect_ratio": "1:1", "sync": True}
Confidence
88% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
from image_utils import ImageUtils

# Generate with Bria AI (see bria-ai skill for full API reference)
response = requests.post(
    "https://engine.prod.bria-api.com/v2/image/generate",
    headers={"api_token": BRIA_API_KEY, "Content-Type": "application/json"},
    json={"prompt": "product photo of headphones", "aspect_ratio": "1:1", "sync": True}
Confidence
88% confidence
Finding
requests.post( "https://engine.prod.bria-api.com/v2/image/generate", headers={"api_token": BRIA_API_KEY, "Content-Type": "application/json"}, json=

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.