Img Compress

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but it overwrites image files in place, so users should run it only on backed-up folders.

Install only if you are comfortable with destructive image compression. Run it as a normal user, avoid sudo unless absolutely required, target a narrow copied folder, and keep backups before using it on original or production assets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly states that it overwrites original image files in place, but it does not provide a clear warning about irreversible data loss or recommend creating backups first. In a batch-processing context, a user could unintentionally destroy original assets across an entire directory, making recovery difficult or impossible if compression degrades quality or corrupts files.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script rewrites each source image directly to the same path, so any corruption, failed conversion, or unintended format change permanently destroys the original file. In this script, non-RGBA images are always saved as JPEG back to the original path, which can also cause data loss, extension/format mismatches, and irreversible degradation without backup or confirmation.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal