Pollinations

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a Pollinations media tool, but it can automatically send local media to external services, including an under-disclosed third-party image host.

Review this skill before installing if you may use it with private images, videos, audio, URLs, or confidential prompts. Treat local media analysis, transcription, and image editing as remote uploads. The highest concern is that local image edits may first upload files to a temporary third-party host outside Pollinations, with unclear disclosure and retention expectations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (14)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill invokes shell-based capabilities (`curl`, `jq`, `base64`, shell install commands) but does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: callers may not realize the skill can execute local commands and make network requests, which increases the chance of unintended command execution or data handling outside expected controls.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The documented behavior reportedly includes uploading local images to `litterbox.catbox.moe`, a third-party temporary file host, even though the description says the skill interfaces with Pollinations.ai. This undisclosed extra-party exfiltration materially changes the data flow and can expose sensitive local files to an unrelated external service without informed user consent.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: When a local file is provided, the script silently uploads the image to an unrelated third-party temporary hosting service before sending its URL to Pollinations. This creates an undisclosed data-sharing path for potentially sensitive user images and expands the trust boundary beyond the stated Pollinations-focused skill, which can lead to privacy, compliance, and confidentiality issues.

Intent-Code Divergence

Low

Confidence: 88% confidence
Finding: The inline note says local files are uploaded to 0x0.st, but the implementation actually sends them to litterbox.catbox.moe. This mismatch is dangerous because it misleads users and reviewers about where sensitive data is sent, undermining informed consent and security review accuracy.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The activation guidance is very broad ('use when user requests AI-powered content... or mentions Pollinations'), which can cause the skill to trigger in many ambiguous situations. Over-broad activation raises the risk of accidental invocation, unnecessary external API calls, and unintended transmission of user prompts or files to third-party services.

Missing User Warnings

High

Confidence: 94% confidence
Finding: The markdown states that local files and URLs can be provided for image/video/audio analysis and transcription, but it does not clearly warn that this content will be sent to an external API. Users may unknowingly expose sensitive media, documents, or embedded metadata, making this a meaningful privacy and data-governance issue.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script sends either a user-supplied image URL or the full contents of a local image file, converted to a base64 data URL, to a remote Pollinations API endpoint without any explicit consent prompt, warning, or policy check. This creates a real data disclosure risk because users may analyze sensitive local images assuming processing is local, while the skill silently uploads the content to a third party.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script uploads either a local video file (base64-encoded) or a user-supplied video URL to a remote Pollinations API, but it provides no explicit privacy notice, consent check, or warning that video contents will leave the local environment. This is a real data-handling risk because videos may contain sensitive visual, audio, or metadata content, and users may not realize the command transmits that material off-host.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script's only warning is a brief note that local files are auto-uploaded, without a clear privacy or security warning that user images are sent to a public third-party temporary host. In an image-editing skill, users may reasonably supply personal, proprietary, or regulated images, so insufficient disclosure materially increases the risk of unintended data exposure.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script sends the user-provided prompt and optional image URL directly to gen.pollinations.ai via curl, and there is no explicit notice, confirmation, or consent step warning that potentially sensitive content will leave the local environment. In an agent skill context, prompts can easily contain private user data, internal URLs, or confidential descriptions, so silent transmission to a third-party service creates a real privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script uploads either a local audio file or a downloaded audio URL to a third-party API for transcription, but it does not provide a clear warning, confirmation, or privacy notice before transmitting potentially sensitive voice content. In a transcription utility, this is expected functionality, but it still creates a real privacy and data-handling risk because users may unknowingly send confidential recordings off-host.

External Transmission

Medium

Category: Data Exfiltration
Content: AUTH_HEADER="-H \"Authorization: Bearer $POLLINATIONS_API_KEY\"" fi RESPONSE=$(curl -s -H "Content-Type: application/json" \ ${POLLINATIONS_API_KEY:+-H "Authorization: Bearer $POLLINATIONS_API_KEY"} \ -X POST "https://gen.pollinations.ai/v1/chat/completions" \ -d "$BODY")
Confidence: 90% confidence
Finding: curl -s -H "Content-Type: application/json" \ ${POLLINATIONS_API_KEY:+-H "Authorization: Bearer $POLLINATIONS_API_KEY"} \ -X POST "https://gen.pollinations.ai/v1/chat/completions" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: # Make request (longer timeout for video processing) echo "Analyzing video with $MODEL..." RESPONSE=$(curl -s --max-time 300 -H "Content-Type: application/json" \ ${POLLINATIONS_API_KEY:+-H "Authorization: Bearer $POLLINATIONS_API_KEY"} \ -X POST "https://gen.pollinations.ai/v1/chat/completions" \ -d @"$BODY_FILE")
Confidence: 90% confidence
Finding: curl -s --max-time 300 -H "Content-Type: application/json" \ ${POLLINATIONS_API_KEY:+-H "Authorization: Bearer $POLLINATIONS_API_KEY"} \ -X POST "https://gen.pollinations.ai/v1/chat/completions" \

External Transmission

Medium

Category: Data Exfiltration
Content: # Make request echo "Transcribing audio with $MODEL..." RESPONSE=$(curl -s --max-time 300 -H "Content-Type: application/json" \ ${POLLINATIONS_API_KEY:+-H "Authorization: Bearer $POLLINATIONS_API_KEY"} \ -X POST "https://gen.pollinations.ai/v1/chat/completions" \ -d @"$BODY_FILE")
Confidence: 91% confidence
Finding: curl -s --max-time 300 -H "Content-Type: application/json" \ ${POLLINATIONS_API_KEY:+-H "Authorization: Bearer $POLLINATIONS_API_KEY"} \ -X POST "https://gen.pollinations.ai/v1/chat/completions" \

VirusTotal

No VirusTotal findings

View on VirusTotal