Security audit

ZM IMG2 直接生图执行

Security checks across malware telemetry and agentic risk

Overview

This image-generation skill largely matches its stated purpose, but its queue can run arbitrary task-supplied shell commands, which needs human review before installation.

Review this skill before installing. It should be run only in a sandbox or trusted workspace unless the command and mock_command execution paths are removed or strongly gated. Expect prompts, reference image paths, logs, and result files to be stored locally and prompts/reference images to be sent to the configured Happy image provider.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill invokes Python and Node scripts, performs network calls to an external image API, reads provider configuration from the environment/local config, and reads/writes files and logs, yet it declares no explicit permissions. This creates a trust and review gap: callers may authorize or execute the skill without understanding that it can access local data, write artifacts, spawn shell commands, and send data off-host to a remote provider.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The queue accepts a task-supplied command field and later executes it, which turns an image-generation worker into a general-purpose command runner. In an agent skill context, this allows untrusted task input to achieve arbitrary code execution on the host, read/write files, exfiltrate secrets, and pivot beyond the intended image-generation scope.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The mock_command path executes attacker-controlled strings via ['bash', '-lc', str(cmd)] when the value is not a list, creating direct shell injection and arbitrary command execution. Even if intended for testing, this capability is present in the operational code path and can be triggered through task input, making the skill far more dangerous than its stated image-generation purpose.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: This code accepts arbitrary command execution from task input without any confirmation, privilege boundary, or visible warning, so users may unknowingly invoke dangerous host actions while expecting only image generation. In this skill context, that mismatch is especially risky because callers are likely to trust the queue as a bounded media-processing tool rather than a shell-capable executor.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script persistently writes the full prompt and all input image paths to request.json inside the run directory, and also stores outputs, logs, and result JSON by design. Prompts and file paths often contain sensitive business data, personal information, internal project names, or filesystem layout details, so this creates a clear local data-exposure/privacy risk, especially in shared environments or systems with broad home-directory access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal