Security audit

Seedream Image

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward guide for using an external AI image API, with normal privacy and API-token cautions but no hidden or destructive behavior found.

Install or use this only if you are comfortable sending prompts, source image URLs, and mask URLs to AceDataCloud/Seedream. Keep the API token in an environment variable or secret manager, avoid submitting sensitive or regulated images unless approved, and verify the optional MCP package or hosted MCP server before use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly instructs users to send prompts and, elsewhere, image URLs to a third-party service but provides no privacy or data-handling warning. In this context, prompts and referenced images may contain sensitive business, personal, or copyrighted material, so omission of disclosure can lead to unintended data exposure.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The authentication section shows use of a bearer token but gives no guidance on secure credential handling. This increases the chance users will hardcode, log, share, or otherwise mishandle the API token, which could enable unauthorized use of the third-party account.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.