Back to skill

Security audit

Vision Sandbox

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it advertises: it sends a chosen image and prompt to Gemini for vision analysis using Google's hosted code-execution sandbox.

Install only if you are comfortable sending selected images, screenshots, prompts, and resulting analysis to Google Gemini under your API key. Avoid uploading confidential screenshots, credentials, personal data, or customer information unless your data-handling policy allows it, and review any suggested code or CSS changes before applying them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill declares that it requires the GEMINI_API_KEY environment variable but does not declare any explicit permissions, creating a capability/permission mismatch. In an agent skill that invokes remote model execution and may pass sensitive inputs to an external service, undeclared environment access reduces transparency and can lead to accidental secret exposure or use in contexts where operators believe the skill is more constrained than it is.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The example interaction expands the skill from visual inspection into taking action on a local project file (`styles.css`). That broadens the trust boundary from analysis to modification, which can cause unintended code or UI changes if an agent follows the example without clear confirmation, review, or scoping controls.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill transmits user-supplied images and prompts to an external Gemini API while presenting itself as a 'sandbox,' which can mislead users into believing processing is local or self-contained. This creates a data exposure risk because sensitive visual content or prompts may leave the local environment without clear disclosure or policy controls.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README describes a workflow where the agent performs code-backed analysis and then updates a project file, but it provides no warning that this is a system-impacting action. In an agent skill context, omission of such guardrails can normalize unsafe autonomous edits and increase the chance of unintended modifications to user projects.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code sends the image and prompt to an external API without any user-facing warning at the point of use, so users may unintentionally upload confidential screenshots, documents, or other sensitive data. The risk is elevated by the 'Vision Sandbox' framing, which may imply local analysis rather than third-party network transmission.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.