Security audit

GLM-Image-Gen

Security checks across malware telemetry and agentic risk

Overview

This is a coherent image-generation skill that uses a Zhipu API key and sends image prompts to Zhipu as expected.

Install only if you trust Zhipu with your prompts and API usage. Avoid putting secrets or sensitive personal data in prompts or --user-id, protect ZHIPU_API_KEY like a password, and use --save only with an intended output path.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The CLI allows an optional --user-id that is forwarded to the remote GLM API, but the interface does not clearly warn users that this value is transmitted off-host for moderation or provider-side processing. This is a real privacy issue because operators may supply internal usernames, emails, or other identifiers without understanding the disclosure, though it is not an exploit-style code execution flaw.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal