HiAPI GPT Image 2

Security checks across malware telemetry and agentic risk

Overview

This is a coherent image-generation skill that uses a HiAPI key to send prompts to HiAPI and save generated images, with the main risks disclosed and purpose-aligned.

Install only if you are comfortable sending image prompts and any reference image URLs to HiAPI under your account. Keep HIAPI_BASE_URL at the default unless you intentionally trust another endpoint, and back up any existing hiapi-gpt-image-2 skill folder before using the installer.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill enables implicit invocation without any visible activation constraints, which can cause the agent to call this external image-generation capability when the user did not explicitly request it. Because this skill sends user prompts to a third-party service, overbroad auto-invocation can lead to unintended data sharing, unexpected actions, or prompt-triggered abuse through ambiguous requests.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal