Doubao AI Image Generator

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Doubao image-generation skill, but it uses a logged-in browser session, saves generated images locally, and may send them through BlueBubbles/iMessage.

Install only if you are comfortable letting the agent use your logged-in Doubao browser session to submit prompts and download generated images. Use a dedicated browser profile when possible, avoid sensitive prompts, and confirm where files are saved and where attachments are sent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs the agent to download files to local storage and send attachments, but does not require explicit user notice or confirmation for those file and outbound message operations. In an agent environment, silent file creation and transmission can surprise users, create privacy issues, and increase the risk of unintended data handling or sending content to the wrong destination.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill depends on a logged-in Doubao account and browser automation but does not prominently warn that it will act through an existing authenticated session. That creates risk of unintended use of the user's account, exposure of account-linked data, and actions performed under stored credentials without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal