Use Ark (火山引擎豆包) for text-to-image (文生图) via an OpenAI-compatible API. Suitable for short captions and long, structured creative or poster-style briefs in agent workflows.

Security checks across malware telemetry and agentic risk

Overview

This skill is a clearly disclosed Ark text-to-image helper that uses an API key to call the expected image-generation service and returns an image URL.

Install only if you are comfortable sending image prompts to Volcengine Ark using your own ARK_API_KEY. Keep the API key in private environment configuration, and avoid placing sensitive or confidential prompt text in the workspace prompt file unless that is acceptable for your workflow.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill clearly requires environment variables and makes outbound network calls to the Ark API, but it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: an agent or platform may invoke a networked, credential-using skill without appropriate user awareness or sandbox restrictions.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal