ImgLink

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple image-URL helper, with the main caution that prompts and optional API keys are placed in shareable external URLs.

Install only if you are comfortable sending prompts to imglink.ai and embedding the resulting URLs. Use the anonymous mode for testing, avoid confidential prompts or personal data, and do not place long-lived or sensitive API keys in URLs that may be published, logged, cached, or shared.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs use of a GET URL containing both the prompt and optional API key in the query string, but does not warn that these values are sent to an external service and may be exposed in logs, browser history, referrers, analytics systems, proxies, and shared documents. Because the output is designed to be embedded in websites, presentations, Markdown, and PDFs, this context increases the chance that secrets or sensitive prompt content will be unintentionally disclosed beyond the original user.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal