Local GMNCODE Vision

Security checks across malware telemetry and agentic risk

Overview

This image-analysis fallback is understandable, but it relies on an unreviewed local script that may send images and prompts to GMNCODE using a local API key.

Install only if you trust and can review the local scripts_gmncode_image.py helper. Use this skill only for images you are willing to send to GMNCODE, and prefer a limited-scope API key.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly routes image analysis through a local script that uses the external GMNCODE Responses API, but the user-facing description and usage text do not clearly warn that image contents will leave the local environment. This creates a real privacy and data-handling risk because users may provide screenshots, personal photos, or sensitive images under the assumption the processing is local or equivalent to a built-in tool.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal