Security audit

Meme Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward connector to Memesio's hosted meme-generation service, with expected privacy and API-key handling considerations.

Install only if you are comfortable using Memesio as an external hosted service. Do not send private, confidential, regulated, or personal images or prompts unless that transfer is approved; keep any returned API key private; and choose private visibility unless you intend generated memes to be public.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill explicitly directs users to a remote third-party MCP endpoint and supports uploading images and sending prompts, but it does not warn that those inputs will be transmitted to an external service. This creates a privacy and data-handling risk because users may unknowingly send sensitive images, prompts, or generated content to Memesio under that provider's retention, logging, and policy controls.

Vague Triggers

Low

Confidence: 86% confidence
Finding: The guidance says to use no connection-level authentication while only passing apiKey to keyed tool calls, but it does not clearly bound which operations are safe to expose unauthenticated. In practice, this can cause integrators to configure the whole MCP endpoint as broadly accessible and assume all non-keyed calls are harmless, increasing the chance of unintended unauthenticated access or account creation abuse.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The reference describes caption_upload as fetching an image URL or accepting base64 image input, but it does not warn that user-supplied images are sent to a remote third-party service. This can lead agents or users to transmit sensitive images without informed consent, creating privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The create_agent_account tool is documented as returning a first key, which is effectively a credential, but the reference provides no warning about secure handling. Without that warning, an agent may log, echo, persist, or expose the returned key, leading to credential leakage and unauthorized use of the associated Memesio account.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.