Image To Image

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward AI image-editing CLI guide, with a credential-handling caution around showing configuration after setting an API key.

Before installing, confirm whether `ai-media config show` masks API keys. Avoid sharing terminal output, screenshots, logs, or chat transcripts that may include `AI_MEDIA_API_KEY`, and prefer environment variables or a secret manager when possible.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly tells users to run both `ai-media config set-key <KEY>` and `ai-media config show`, which can encourage exposing a live API credential in terminal output, logs, screenshots, or shared session transcripts. In a CLI skill whose core purpose is onboarding to a third-party service, this context makes the issue more dangerous because users are likely to follow the steps verbatim while handling real production secrets.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal