Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
pillow>=10.0.0
- Confidence
- 95% confidence
- Finding
- pillow>=10.0.0
Picture Edit
Security checks across malware telemetry and agentic risk
Overview
This is a straightforward local image-editing skill with a dependency hygiene issue but no evidence of hidden, networked, credential-seeking, persistent, or destructive behavior.
Install this in a virtual environment and consider pinning Pillow to a current reviewed version before processing untrusted images. The skill will read and write local image files as directed, which matches its stated purpose.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)
Known Vulnerable Dependency: pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more
Critical
- Category
- Supply Chain
- Confidence
- 78% confidence
- Finding
- pillow
VirusTotal
VirusTotal findings are pending for this skill version.