Security audit

Showmeai

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Showmeai media-generation skill that uses the expected API key, network calls, and local media files for its stated purpose.

Install only if you trust Showmeai with prompts, uploaded images, video frames, and generation metadata. Use a scoped API key if possible, keep Showmeai_BASE_URL pointed at the intended provider, avoid confidential media or private internal URLs, and remember that saved media persists locally until removed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill documentation declares no permissions while clearly requiring environment variables, network access, and local file read/write for uploading media and saving outputs. This under-disclosure weakens user consent and platform enforcement because operators may invoke a skill with broader capabilities than are transparently declared.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: The documented behavior omits materially relevant actions: image editing uploads input media, async task querying contacts remote endpoints, and some models save files locally even without --save. These mismatches can cause users to expose local files or create persistent artifacts they did not expect, undermining informed consent and safe operation.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The README explicitly encourages saving generated media locally but does not prominently warn that this writes files to the user's filesystem. In an agent setting, unclear documentation around local file creation can cause unexpected persistence of content, privacy issues, or disk usage without fully informed user consent.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The skill documentation promotes use of a third-party API for image, video, and 3D generation but does not clearly warn that user prompts and uploaded/generated media may be transmitted to an external service. In an agent context, users may unknowingly send sensitive text or images off-device, creating privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill does not clearly warn that prompts and uploaded media are sent to a third-party service. Users may provide sensitive prompts, images, or frames under the assumption the tool is local-only, leading to unintended disclosure to an external API provider.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal