Cartoon Pet Generator

Security checks across malware telemetry and agentic risk

Overview

The skill makes cartoon pet images as described, but its script can run unintended shell commands if given a crafted output filename.

Review before installing. Use only fixed, trusted output filenames in a safe directory such as /tmp, and prefer a patched version that validates paths and uses execFileSync or spawn with argument arrays instead of shell strings.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs the agent to write files to disk and invoke local conversion binaries without any safety guidance around path handling, overwrite behavior, or execution boundaries. In an agent environment, undocumented local command execution and filesystem writes increase the risk of unsafe file placement, accidental overwrites, or abuse if user-controlled arguments are passed through to scripts or shell commands.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal