Back to skill

Security audit

rembg: remove-image-background

Security checks across malware telemetry and agentic risk

Overview

The skill does remove image backgrounds, but it also has avoidable code-execution risks and makes persistent environment changes that users should review before installing.

Install only if you are comfortable with it creating ~/.venv/rembg, downloading rembg models to ~/.u2net, installing Python packages, and editing your PATH or shell startup files. Review or patch the path handling before processing images from untrusted sources or archives, and check your shell configuration or Windows PATH afterward.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""
    ]
    
    result = subprocess.run(cmd, capture_output=True, text=True)
    return result.returncode == 0
Confidence
98% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""
    ]
    
    result = subprocess.run(cmd, capture_output=True, text=True)
    
    if result.returncode != 0:
        print(f"✗ 处理失败 (Processing failed): {result.stderr}")
Confidence
98% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print("=" * 50)
        
        install_script = os.path.join(PROJECT_ROOT, "setup", "install.py")
        result = subprocess.run([sys.executable, install_script], capture_output=True, text=True)
        
        if result.returncode != 0:
            print(f"✗ 环境初始化失败 (Environment initialization failed): {result.stderr}")
Confidence
81% confidence
Finding
result = subprocess.run([sys.executable, install_script], capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print("=" * 50)
            
            install_script = os.path.join(PROJECT_ROOT, "setup", "install.py")
            result = subprocess.run([sys.executable, install_script], capture_output=True, text=True)
            
            if result.returncode != 0:
                print(f"✗ 环境初始化失败 (Environment initialization failed): {result.stderr}")
Confidence
81% confidence
Finding
result = subprocess.run([sys.executable, install_script], capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 使用 PowerShell 设置环境变量
                ps_cmd = f'[Environment]::SetEnvironmentVariable("PATH", "{new_path}", "User")'
                result = subprocess.run(
                    ["powershell", "-Command", ps_cmd],
                    capture_output=True,
                    text=True
Confidence
88% confidence
Finding
result = subprocess.run( ["powershell", "-Command", ps_cmd], capture_output=True, text=True )

Tainted flow: 'ps_cmd' from os.environ.get (line 67, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
# 使用 PowerShell 设置环境变量
                ps_cmd = f'[Environment]::SetEnvironmentVariable("PATH", "{new_path}", "User")'
                result = subprocess.run(
                    ["powershell", "-Command", ps_cmd],
                    capture_output=True,
                    text=True
Confidence
93% confidence
Finding
result = subprocess.run( ["powershell", "-Command", ps_cmd], capture_output=True, text=True )

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation indicates capabilities including shell execution, environment access, and file read/write, yet no permissions are declared. This creates a transparency and consent problem: users or an orchestrating platform may treat the skill as low-risk while it can modify the local environment and filesystem during setup and execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is background removal, but the described behavior extends to system-level setup actions such as creating a virtualenv under the user's home directory, installing dependencies, modifying shell configuration, and triggering model downloads. This mismatch is dangerous because it hides persistence and host modification behind a benign image-editing workflow, increasing the chance that users approve actions they did not expect.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The script automatically initializes and installs environment components as a side effect of running an image-processing command. That expands the trust boundary from local image handling to arbitrary code execution from the setup process, which is more dangerous than users would expect from the stated purpose.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script couples its core function with automatic environment bootstrapping by spawning subprocesses that create or repair a virtual environment in the user's home directory. This broadens the attack surface and violates least surprise, because using the tool can trigger package installation and execution of additional code.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The installer persistently modifies shell startup files and user PATH, which exceeds minimal environment setup and creates lasting side effects on the host. Persistent profile modification increases the blast radius of mistakes and can be abused to influence future command resolution.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
Modifying user-level environment variables and shell init files is not strictly necessary for an image background-removal skill to function. In this context, the behavior is more dangerous because it alters the user's broader execution environment beyond the advertised image-processing task.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Automatically installing environment components without clear upfront warning reduces informed consent and can surprise users into executing setup code. In a skill meant for image background removal, hidden installation logic is more suspicious because it performs privileged or network-relevant actions beyond the primary function.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script silently initializes dependencies and writes under `~/.venv/rembg` without asking the user first. In an agent skill, hidden environment changes are risky because users may expect only image transformation, not package installation or persistent filesystem modification.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.