Back to skill

Security audit

AI图像创作

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a normal API-backed image generation helper, with some credential-handling hygiene risks users should manage.

Prefer setting JUHE_IMAGE_KEY as an environment variable or through a secret manager. Avoid passing the key on the command line, do not commit scripts/.env, and restrict file permissions if you choose to use a .env file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Credential Access

High
Category
Privilege Escalation
Content
# 方式一:环境变量(推荐,一次配置永久生效)
export JUHE_IMAGE_KEY=你的AppKey

# 方式二:.env 文件(在脚本目录创建)
echo "JUHE_IMAGE_KEY=你的AppKey" > scripts/.env

# 方式三:每次命令行传入
Confidence
83% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
export JUHE_IMAGE_KEY=你的AppKey

# 方式二:.env 文件(在脚本目录创建)
echo "JUHE_IMAGE_KEY=你的AppKey" > scripts/.env

# 方式三:每次命令行传入
python scripts/image_generate.py --key 你的AppKey "一只猫咪在草地上玩耍"
Confidence
88% confidence
Finding
.env

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.