visual-understanding

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward GLM vision API guide that discloses sending selected images and prompts to Zhipu/BigModel, with no hidden execution or persistence found.

Install only if you intend to send images and prompts to Zhipu/BigModel services. Keep the API key in an environment variable, prefer an isolated Python environment, and avoid submitting confidential, regulated, or personally identifying images unless you have approval and understand the provider’s data handling terms.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

External Transmission

Medium

Category: Data Exfiltration
Content: --- name: glm-4.6v-vision-connector description: "智谱 GLM-4.6V 多模态视觉模型集成插件。支持本地图像解析（Base64）及公网链接读取。优先提供 zai SDK 接入，并包含 cURL 原生降级方案。" version: "1.1.0" homepage: "https://github.com/zai-org/GLM-V" repository: "https://github.com/zai-org/GLM-V.git"
Confidence: 81% confidence
Finding: cURL 原生降级方案。" version: "1.1.0" homepage: "https://github.com/zai-org/GLM-V" repository: "https://github.com/zai-org/GLM-V.git" authors: ["IsabellaZhangYM"] license: "MIT" requirements: environment_

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal