Back to skill

Security audit

voice-text-to-meme

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it sends user-provided text to a configured image model to make one meme image and saves the result locally.

Use a dedicated model API key, review the configured base URL before running it, and do not send private, confidential, or credential-like text unless you trust that provider. For stricter environments, install from pinned or locked dependencies and choose an output directory where saved meme images are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends user-derived text in the generated prompt to a third-party model endpoint and may also fetch image content from a returned URL, but there is no consent flow, warning, redaction, or trust-boundary disclosure. In this skill context, inputs may come from speech recognition or polished text that can contain sensitive personal or confidential content, so silent transmission to an external service creates a genuine privacy and data-handling risk.

Unpinned Dependencies

Low
Category
Supply Chain
Content
openai>=1.0.0
requests>=2.31.0
Confidence
95% confidence
Finding
openai>=1.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
openai>=1.0.0
requests>=2.31.0
Confidence
99% confidence
Finding
requests>=2.31.0

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.