AI Image Generator & Editor — GPT Image 2, Nanobanana, ComfyUI

Security checks across malware telemetry and agentic risk

Overview

This is a coherent image-generation skill that discloses its provider credentials, local image handling, and output behavior, with no artifact-backed evidence of hidden or destructive activity.

Before installing, confirm you trust the external meigen@1.3.2 npm package and any image provider you configure. Use a dedicated API token where possible, keep config files private, and only pass local image paths you are comfortable sending to the selected provider unless using local ComfyUI.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Low

Confidence: 87% confidence
Finding: The documentation instructs users to place an API key in a plaintext config file under their home directory without any warning about file permissions, secret storage, or safer alternatives. While this is common in setup docs, it increases the chance of credential exposure through overly permissive filesystem permissions, backups, dotfile syncing, or accidental sharing.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal