Qwen Vision Rename

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent image-renaming purpose, but it can upload local images and batch-rename files by default, including from an auto-selected Pictures folder.

Install only if you are comfortable sending selected local images to the configured Dashscope/Qwen-compatible endpoint. Use an explicit folder, run a dry-run first, review the generated plan, keep backups for important images, and avoid public media URL mode unless you understand where copied images will be served and how to clean them up.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill declares no explicit permissions while its documented behavior clearly involves reading local files, renaming files, accessing environment variables, and calling a remote vision API. This weakens trust boundaries and informed consent because users and orchestrators may not realize the skill can modify local data and transmit image content off-host.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The description frames the skill as local batch renaming, but the documented behavior expands to image description, rollback handling, and remote API-based image processing, including possible public media exposure per the finding. That mismatch can cause users to authorize a seemingly simple local rename task without understanding that image content may leave the machine or be exposed externally.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The code can copy local images into a publish directory and return a publicly reachable URL, which materially expands the skill from local renaming into external publication of user files. In the context of personal photos and screenshots, this can expose sensitive content to the internet, especially because the publication path is then used to satisfy remote model access requirements.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The trigger phrases are broad and mandatory, causing the skill to activate for common requests like organizing or renaming images even when the user may not intend remote analysis or file mutation. Overbroad routing increases the chance of accidental execution of a file-writing, network-capable workflow on sensitive local image collections.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The skill defaults to immediately renaming local files unless the user explicitly asks for preview or dry-run, but it does not present a prominent warning or confirmation about modifying the filesystem. In a skill that processes batches of local images, default destructive or state-changing behavior materially raises the risk of accidental mass changes.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The runtime instructions explicitly require execution with `rename-dir --apply` by default, reinforcing silent file modification without a user-facing safety checkpoint. Because the skill can auto-select a default image directory when none is provided, this increases the chance of unintentionally renaming many personal files in common photo folders.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The describe flow sends image content to a remote vision API without an explicit user-facing disclosure at the point of use. For local images, this can leak private personal, financial, or identity information to a third party when the user may reasonably expect only local filename assistance.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Batch rename mode can transmit every image in a directory to a remote service, potentially at scale, with no explicit disclosure or confirmation. Because default directory resolution may target common photo folders, the privacy impact is amplified and could expose large collections of sensitive personal images.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal