Flux Image

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Flux image generation skill, but users should treat prompts, image URLs, and the AceDataCloud token as sensitive.

Install only if you are comfortable using AceDataCloud for image generation. Use a dedicated API token where possible, avoid sharing or committing the token, monitor usage costs, and do not submit confidential prompts, private images, internal URLs, or signed URLs unless your organization allows that data to be processed by AceDataCloud.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill instructs users to export a live API token but provides no warning about keeping credentials secret, avoiding hardcoding, shell history exposure, or using least-privilege handling. In a reusable skill document, this omission can lead to accidental token disclosure in terminals, logs, screenshots, or shared scripts.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The examples send prompts and image URLs to AceDataCloud, a third-party remote service, without any notice that user inputs and referenced images leave the local environment. This creates privacy and compliance risk if users submit sensitive prompts, proprietary images, internal URLs, or regulated data under the assumption that processing is local.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal