GEO Visual Content Engine

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed e-commerce asset-generation skill with optional store publishing that is off by default, but publishing credentials should be handled carefully.

Install only if you intend to use Google image generation and possibly Shopify/WooCommerce export. Keep publishing flags disabled until you have reviewed the generated product data, test with a staging store first, and use narrowly scoped store credentials because enabling publishing can create products, upload images, and set inventory on a live store.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (18)

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The example output expands from content/asset generation into prescriptive campaign execution by including a week-by-week posting schedule, channel mix, publish timing, KPI selection, and iteration guidance. This scope creep can cause downstream agents or users to treat the skill as authorized to plan and drive marketing operations beyond its declared purpose, increasing the risk of unintended autonomous actions and policy bypass in multi-agent systems.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The schema exposes `publish_to_shopify` and `publish_to_woocommerce` toggles even though the skill metadata describes generation of visuals, structured data, copy, and export-ready assets rather than direct store publication. This creates a scope-expansion risk: users may unknowingly authorize live changes to external commerce systems, increasing the chance of unintended publication, inventory/catalog corruption, or misuse if downstream actions are connected.

Intent-Code Divergence

Low

Confidence: 85% confidence
Finding: The schema description states the workflow includes 'Auto-publish', while the manifest frames the skill as producing export-ready commerce assets. This documentation mismatch can mislead users and reviewers about the skill's actual capabilities, which is dangerous when the hidden or under-disclosed capability involves modifying external storefronts.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The code can publish products directly to Shopify and WooCommerce, which exceeds the declared skill scope of generating assets and listing-preparation outputs. That mismatch is security-relevant because users or orchestrators may grant the skill broader trust than intended, leading to unauthorized external side effects on live commerce stores.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The create_product workflow is not limited to preparing assets; it can create live products on third-party platforms. In a skill advertised for visual/content generation, this creates an unsafe capability gap that can surprise users and enable unintended modifications to connected stores.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The file implements direct Shopify Admin API product creation, image upload, and inventory management, which materially exceeds the stated skill purpose of generating visuals and commerce assets. In an agent context, this scope mismatch is dangerous because users or hosting systems may expect content generation while the skill can perform live store mutations against a production commerce backend.

Context-Inappropriate Capability

Low

Confidence: 80% confidence
Finding: The code automatically reads Shopify credentials from environment variables even though the manifest describes a content-generation workflow, not credentialed store administration. In agent ecosystems, hidden credential handling broadens the trust boundary and makes it easier for a seemingly harmless skill to act on sensitive external systems without clear user awareness.

Context-Inappropriate Capability

Medium

Confidence: 85% confidence
Finding: The module silently reads WooCommerce store URL and API credentials from environment variables, enabling access to external commerce infrastructure without any explicit user awareness. In the context of a skill described as generating visuals and commerce assets, this hidden access materially expands capability and could let the skill act on a live store unexpectedly.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: This code directly creates and modifies live WooCommerce products, which exceeds the stated scope of producing visuals, copy, and export-ready assets. In a user-facing asset-generation skill, hidden live-commerce mutation is dangerous because generated content or prompts could trigger unauthorized publication of products to a real storefront.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The module can update real inventory levels in WooCommerce, a sensitive business operation not reflected in the skill's stated purpose. Unauthorized or accidental stock changes can disrupt sales, oversell or hide products, and directly affect merchant operations and revenue.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The prompt explicitly instructs the system to call an external image-generation API and save outputs to local storage, but provides no consent, disclosure, path constraints, or storage-handling safeguards. In an agent setting, this can cause unexpected third-party data transfer and persistent file creation based solely on user input, creating privacy, compliance, and operational risk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The workflow can perform live publishing to external commerce platforms without any explicit warning, consent checkpoint, or strong confirmation that remote side effects will occur. This increases the chance of accidental store modifications, unintended listings, or misuse when the skill is invoked in automated contexts.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The create_product flow performs live state-changing writes to Shopify without any confirmation, approval checkpoint, or visible disclosure in the code path. In an agent setting this can lead to unintended product publication, pricing mistakes, or unauthorized catalog changes if triggered by ambiguous prompts or tool misuse.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The inventory update function changes stock quantities directly in Shopify with no user-facing warning or confirmation. That is risky in a commerce environment because incorrect or unintended stock changes can disrupt sales, fulfillment, and customer trust.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: Reading sensitive credentials from environment variables without clear disclosure is risky in agent contexts because users may not realize the skill can access preconfigured secrets. That hidden access lowers transparency and can enable unintended connections to live services.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Product creation performs a remote state-changing API call without an explicit confirmation boundary. In this skill context, that is dangerous because a user expecting content generation may not expect immediate publication or creation of products in a live WooCommerce store.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Uploading an image here mutates an existing remote product without any user-facing warning or confirmation. In an AI-assisted workflow, this can cause unintended modification of storefront content based on generated assets or mistaken targeting of a product ID.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: This stock update call changes live inventory without any explicit confirmation or warning. Inventory is operationally sensitive, so silent mutation is especially risky in a skill whose stated purpose centers on visual and listing-preparation workflows rather than order or stock management.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal