Back to skill

Security audit

Ghost Eye

Security checks across malware telemetry and agentic risk

Overview

Ghost Eye does what it says, but it can automatically send any incoming image to a third-party vision API and cache extracted text without clear end-user consent.

Install only if you are comfortable sending images to the configured vision provider. Avoid silent auto-preprocess for private chats, screenshots, IDs, medical records, legal or business documents, and consider disabling the cache or purging it regularly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
80% confidence
Finding
The skill documentation describes access to environment variables, local file paths, and outbound network calls, but it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: operators may enable the skill without understanding that it can read local image files and transmit image content to an external service.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The auto-preprocess mode is triggered on any inbound image with no documented scope limits, exclusions, or consent boundary. In context, this means sensitive screenshots, IDs, medical images, or private documents could be automatically processed and sent externally even when the user did not explicitly request analysis.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill explicitly says users may not know preprocessing occurs, while image data is sent to an external vision API. This is a significant privacy and consent issue because uploaded images may contain personal data, secrets, or regulated information that is transmitted off-platform without an informed user warning.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Passing OCR and visual summary output directly into conversation context can expose sensitive extracted text and image-derived details to downstream model processing, logging, memory, or later reuse. Without redaction or sensitivity checks, private information from documents, screens, or photos may be unnecessarily propagated beyond the original image analysis step.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation describes automatic image preprocessing and instructs users to route image content through an external vision skill, but it does not clearly warn that uploaded images and screenshots may be transmitted to a third-party provider. In a multimodal pipeline, users may include sensitive screenshots, documents, or photos, so the lack of explicit disclosure and consent guidance creates a real privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends user-supplied image content to an external third-party API, including full image bytes encoded as a data URL, without any in-file user warning, consent step, or data-handling disclosure. This is dangerous because images may contain sensitive personal, corporate, or regulated information, and the skill context explicitly processes arbitrary user images, making external transmission central to its operation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script caches OCR/analysis results derived from images to local disk for up to 7 days without any user-facing notice or controls. This can expose sensitive extracted text or business information to other local users, backups, or later compromise of the host, especially because OCR output may contain secrets not obvious from filenames or workflow context.

External Transmission

Medium
Category
Data Exfiltration
Content
| Variable | Required | Default |
|----------|----------|---------|
| NEXN2_API_KEY | โœ… Yes | โ€” |
| NEXN2_BASE_URL | No | https://api.siliconflow.cn/v1 |
| NEXN2_MODEL_NAME | No | nex-agi/Nex-N2-Pro |
| NEXN2_PROMPT_TEMPLATE | No | Built-in structured template |
| NEXN2_IMAGE_COMPRESS | No | true |
Confidence
87% confidence
Finding
https://api.siliconflow.cn/

External Transmission

Medium
Category
Data Exfiltration
Content
"enabled": true,
  "apiKey": { "source": "env", "provider": "default", "id": "NEXN2_API_KEY" },
  "env": {
    "NEXN2_BASE_URL": "https://api.siliconflow.cn/v1",
    "NEXN2_MODEL_NAME": "nex-agi/Nex-N2-Pro",
    "NEXN2_IMAGE_COMPRESS": "true",
    "NEXN2_CACHE_ENABLE": "true",
Confidence
86% confidence
Finding
https://api.siliconflow.cn/

External Transmission

Medium
Category
Data Exfiltration
Content
"id": "NEXN2_API_KEY"
        },
        "env": {
          "NEXN2_BASE_URL": "https://api.siliconflow.cn/v1",
          "NEXN2_MODEL_NAME": "nex-agi/Nex-N2-Pro",
          "NEXN2_IMAGE_COMPRESS": "true",
          "NEXN2_CACHE_ENABLE": "true",
Confidence
87% confidence
Finding
https://api.siliconflow.cn/

External Transmission

Medium
Category
Data Exfiltration
Content
Environment:
  NEXN2_API_KEY        required
  NEXN2_BASE_URL        default https://api.siliconflow.cn/v1
  NEXN2_MODEL_NAME      default nex-agi/Nex-N2-Pro
  NEXN2_PROMPT_TEMPLATE  optional custom prompt
  NEXN2_IMAGE_COMPRESS  default true
Confidence
93% confidence
Finding
https://api.siliconflow.cn/

External Transmission

Medium
Category
Data Exfiltration
Content
if not api_key:
        raise RuntimeError("ๅ›พ็‰‡ๅˆ†ๆžๅŠŸ่ƒฝๆœช้…็ฝฎ API Key๏ผŒ่ฏท่”็ณป็ฎก็†ๅ‘˜่ฎพ็ฝฎ NEXN2_API_KEY ็Žฏๅขƒๅ˜้‡")

    base_url = _env("NEXN2_BASE_URL", "https://api.siliconflow.cn/v1").rstrip("/")
    model = _env("NEXN2_MODEL_NAME", "nex-agi/Nex-N2-Pro")
    timeout = int(_env("NEXN2_TIMEOUT_MS", "60000")) / 1000
Confidence
95% confidence
Finding
https://api.siliconflow.cn/

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
SKILL.md:31