GPT-image-2 图片生成与编辑诗云API

Security checks across malware telemetry and agentic risk

Overview

This image-generation skill is coherent, but it should be reviewed because it can permanently save a ShiyunApi key into the user's shell or Windows environment.

Install only if you are comfortable sending prompts and selected images to ShiyunApi. Use a revocable API key, monitor any paid quota or billing impact, and avoid running the key-saving helper unless you intentionally want the key stored permanently in your user environment or shell profile.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill clearly instructs the agent to read environment variables, read and write files, make network requests, and execute shell commands, yet it declares no permissions. This creates a transparency and policy-enforcement gap: users and hosting platforms cannot accurately assess or constrain what the skill can do before execution, especially since it handles API keys, uploads user images to a third-party service, and writes output/metadata to disk.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: The skill is described as an image generation/editing integration, but it also persists the user's API key into the process or user environment and may modify shell startup files or Windows user environment settings. Credential persistence outside the immediate task materially expands the security impact: secrets may be exposed to other processes, future sessions, local users, backups, shell history–adjacent artifacts, or unrelated tools that can read environment configuration.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The script writes the API key into long-lived shell startup files such as .bashrc, .zshrc, or fish config, causing persistent credential storage outside the skill's stated image-generation functionality. This expands the blast radius of a leaked key, may expose it to other local processes or future sessions, and creates configuration side effects the user may not expect from using the skill.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: On Windows, the helper persists the API key into the user's environment via setx, which creates a durable system configuration change not reflected in the manifest's core image-generation behavior. Persisting secrets in user environment settings increases the chance of accidental disclosure to later processes, logs, support tooling, or other software running under the same account.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The image-editing examples instruct users to submit local image files for remote processing via a third-party API, but they provide no notice that those images may leave the local machine and be handled by an external service. This can lead users to upload sensitive personal, business, or regulated images without understanding the privacy, retention, or compliance implications.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal