Back to skill

Security audit

Baoyu Imagine

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed image-generation skill; the main user consideration is that prompts, reference images, and API keys are used with external AI providers.

Install only if you are comfortable sending prompts, selected reference images, and possibly reference URLs to the configured image provider. Keep provider API keys in the documented env files, avoid using sensitive local images or internal/signed URLs as references, and review any custom *_BASE_URL settings before running batch jobs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill clearly instructs the runtime to use shell execution, environment variables containing API credentials, and network access to multiple third-party providers, yet it declares no permissions. That mismatch is a real security issue because users and host runtimes cannot accurately assess or constrain what the skill is capable of doing, increasing the risk of unintended command execution, credential exposure, or outbound data transfer.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger text is very broad ('use when user asks to generate, create, or draw images'), which can cause the skill to activate for common requests without sufficiently specific user intent. In this case that matters because the skill can invoke shell commands, consume API keys, write files, and send prompts or references to external services, so accidental invocation can lead to unnecessary data exposure or unintended spending.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation states that reference images are either inlined as base64 or passed through from remote URLs, but it does not clearly warn users that their local image contents or referenced URLs will be sent to DashScope or another external service. In an image-generation skill, users may supply sensitive personal, proprietary, or regulated images; silent transmission to a third-party provider creates a real privacy and data-handling risk, especially because remote URLs can also reveal internal or user-specific resources.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
When remote reference URLs are allowed, user-supplied HTTP(S) URLs can be forwarded to an external provider without an explicit warning at execution time. This can unintentionally disclose internal or sensitive URLs, and if a backend fetches the URL server-side it can create SSRF-style exposure against provider infrastructure or leak access-controlled resources embedded in signed URLs.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code reads each user-supplied reference image from local disk, converts it to a data URL, and sends it to the OpenRouter API with no explicit confirmation, allowlist, or privacy warning. In an agent context, this can cause unintended exfiltration of sensitive local files if the user or upstream workflow passes private image paths, especially because the transfer to a third-party provider is automatic.

Missing User Warnings

Low
Confidence
95% confidence
Finding
The code fetches an image from a URL supplied by the provider response without validating the hostname, scheme, or destination. If the provider, a proxy, or a misconfigured/custom base URL returns a malicious URL, this can enable server-side request forgery or unintended access to internal network resources, and the downloaded content is trusted as image bytes without additional checks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/providers/google.ts:97

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/providers/azure.ts:36

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/providers/dashscope.ts:113

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/providers/google.ts:17

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/providers/jimeng.ts:7

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/providers/minimax.ts:39

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/providers/openai.ts:6

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/providers/openrouter.ts:44

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/providers/replicate.ts:38

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/providers/seedream.ts:49

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/providers/zai.ts:43

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/providers/jimeng.ts:268