Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
pillow>=10.0.0
- Confidence
- 94% confidence
- Finding
- pillow>=10.0.0
Picture
Security checks across malware telemetry and agentic risk
Overview
This is a straightforward local image-editing skill with a normal Pillow dependency, but users should manage that dependency carefully.
Install in an environment where you are comfortable processing local images with Pillow. Prefer pinning or otherwise constraining Pillow to a reviewed current version, keep dependency scanning enabled, avoid untrusted oversized images, and save outputs to new filenames to preserve originals.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)
Known Vulnerable Dependency: pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more
Critical
- Category
- Supply Chain
- Confidence
- 88% confidence
- Finding
- pillow
VirusTotal
66/66 vendors flagged this skill as clean.