Back to skill

Security audit

Baoyu Image Gen

Security checks across malware telemetry and agentic risk

Overview

This image-generation skill mostly does what it claims, but its optional Codex CLI provider gives a local Codex subprocess full filesystem-level authority, which is too broad for ordinary image generation.

Install only if you are comfortable with external image providers receiving your prompts and reference images. Avoid the `codex-cli` provider unless you intentionally want to use your logged-in Codex session and accept that it runs a full-access local Codex subprocess; prefer direct API providers when possible, avoid sensitive local reference images, and do not set wrapper/base-url override environment variables unless you fully trust the target.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code explicitly launches the external `codex` CLI with `--sandbox danger-full-access`, granting broad local system access that is not necessary for a skill whose stated purpose is image generation. Because untrusted user-controlled `instruction` text is piped directly into that agent, prompt-driven tool misuse or local file access can occur with the full privileges of the running user.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The manifest describes direct image generation through named provider APIs, but this implementation instead delegates to a general-purpose `codex` CLI agent. That mismatch is security-relevant because users and reviewers may not realize their prompts are being sent to a local high-capability agent process with different behavior, privileges, and data flows than the declared API-only design.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The provider allows the executable/script path to be overridden via BAOYU_CODEX_IMAGEGEN_BIN and then directly executes that path with spawn(). If an attacker can influence environment variables or the runtime configuration, they can cause arbitrary code execution under the privileges of the hosting process, which exceeds normal image-generation behavior.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger text is very broad ('generate, create, or draw images'), which can cause the skill to activate for common requests without making users aware that third-party APIs, local scripts, and provider-specific routing may be used. Over-broad invocation increases the chance of unintended execution in contexts where a user expected a simple discussion or local-only help, especially given the skill's network and shell capabilities.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill routes prompts and potentially sensitive reference images to multiple third-party APIs, but the description lacks an explicit user warning or consent step before transmission. In this context, that omission is security-relevant because users may unknowingly send personal photos, confidential prompts, or copyrighted material to external providers with different retention and policy regimes.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The documentation states that prompts are written to a temp file and passed to the wrapper, but it does not clearly warn users that their prompt contents will be persisted on local disk, even if only temporarily. In an image-generation workflow, prompts may contain sensitive business, personal, or copyrighted material, so lack of disclosure can lead to unintended data exposure through temp-directory access, backups, forensic recovery, or shared-host leakage.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The file documents a structured JSONL diagnostic log option but does not warn that prompts, file paths, errors, or other request metadata may be recorded in plaintext logs. Users may enable logging for troubleshooting without realizing that sensitive prompt content or local environment details could be retained and later exposed through log collection, support sharing, or multi-user system access.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation states that reference image URLs using http(s) are forwarded as-is, which can cause user-supplied image locations or externally hosted sensitive imagery to be sent to a third-party provider without an explicit disclosure or consent step. In an image-generation skill, reference images are often user content, so silent forwarding creates a real data-leakage/privacy risk even if it is part of intended functionality.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The examples instruct users to invoke third-party image providers and write outputs to local files, but they do not disclose that prompts and reference images may be transmitted to external services. In a skill centered on image generation across many providers, that omission can lead to unintentional disclosure of sensitive text or images and unexpected local file writes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
User-supplied `instruction` content is sent directly to a `codex exec` subprocess running with `danger-full-access`, yet this file provides no indication of warning, consent, or restriction around that privileged execution. In the context of an image-generation skill, this significantly increases risk because a user expects media generation, not delegation of their prompt to a powerful local agent that may access files or perform unintended actions.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The function creates a temporary log file and later writes combined stdout and stderr to it, potentially persisting prompts, generated content metadata, error output, or sensitive local information emitted by the subprocess. While lower severity than the sandbox issue, undisclosed retention of this data can expose user content or environmental details to other local processes, backups, or operators.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The code fetches an arbitrary URL returned in the Agnes API response without validating the scheme, host, or IP range. If the upstream service is compromised or malicious, this can trigger server-side requests to internal or sensitive network endpoints, creating an SSRF-style risk and allowing unexpected outbound access.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This code reads local files from paths supplied in `referenceImages` and uploads them to Azure in a multipart request, but this file contains no consent gate, warning, or privacy disclosure before exfiltrating local content to a third-party service. In an image-generation skill, users may not realize that reference images are transmitted off-host, which can expose sensitive local images if the caller passes private files.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The prompt is directly sent to the Azure OpenAI image generation endpoint with no disclosure in this file that user text leaves the local environment. While sending prompts to a remote model API is expected functionality, lack of transparency can still create privacy risk if users include secrets, proprietary data, or regulated content in prompts.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The code fetches and trusts a remote URL returned by the upstream API without validating the scheme, host, or resolved IP range. If the provider, its response path, or a misconfigured base URL is compromised, this can enable server-side request forgery or unintended access to internal network resources during image download.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code reads arbitrary local reference image files and uploads their contents to a third-party Seedream API, but there is no explicit consent prompt, warning, or other user-facing indication at the transfer point. In an agent skill that may be invoked on behalf of a user, this can cause unintentional disclosure of sensitive local images or metadata-bearing content to an external provider.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The code downloads an image from a URL supplied in the API response without validating the URL's scheme, host, or origin. If the upstream service, configuration, or response is compromised, this can trigger server-side requests to unintended destinations, enabling SSRF-style access to internal resources or unexpected outbound connections.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/codex-imagegen/spawn.ts:35

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/providers/codex-cli.ts:91

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/providers/google.ts:99

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/providers/agnes.ts:15

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/providers/azure.ts:36

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/providers/dashscope.ts:113

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/providers/google.ts:19

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/providers/jimeng.ts:7

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/providers/minimax.ts:39

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/providers/openai.ts:6

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/providers/openrouter.ts:44

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/providers/replicate.ts:38

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/providers/seedream.ts:49

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/providers/zai.ts:43

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/providers/jimeng.ts:268