URL to PNG

Security checks across malware telemetry and agentic risk

Overview

This skill performs the advertised URL-to-PNG screenshot task, with ordinary dependency and input-handling cautions but no evidence of hidden or malicious behavior.

Install only if you are comfortable with uvx downloading shot-scraper and Chromium. Use it for URLs you intentionally want rendered from your own environment, avoid internal or sensitive URLs unless deliberate, and use simple trusted output directory names because the script does not quote that argument.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases are broad enough to match ordinary user requests about saving or screenshotting a URL, which can cause the skill to auto-activate when the user did not explicitly intend to invoke it. Because this skill executes shell scripts and processes attacker-controlled URLs, unintended invocation increases the chance of fetching malicious content or running risky tooling in contexts where a safer response was expected.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal