Github Image Hosting

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: uploads images to a third-party image host for GitHub use, with no hidden code or install-time behavior found.

Install only if you are comfortable sending selected screenshots or images to img402.dev and then embedding the hosted URL in GitHub. Review images for secrets, customer data, private code, or unreleased product details before upload, especially for long-retention or permanent paid tiers.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger language is broad enough that an agent may invoke this skill for many image-related requests without clearly establishing user intent to send data to an external hosting service. In this skill's context, that increases the chance of unintended third-party exfiltration of screenshots, mockups, or other potentially sensitive visual content.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill instructs users to upload images to img402.dev but does not prominently warn that images are transmitted to an external third-party service with defined retention periods. Because this skill is meant for screenshots and visual artifacts commonly containing secrets, internal code, customer data, or unreleased product information, the missing disclosure materially increases privacy and data-leak risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal