babbleBrush

Security checks across malware telemetry and agentic risk

Overview

babbleBrush is a disclosed API guide for a cloud image editor; its credential storage and delete actions are sensitive but purpose-aligned and not hidden.

Install only if you trust BabbleBrush with the images, prompts, edit history, and any provider keys you choose to configure. Keep BABBLEBRUSH_API_KEY secure, use scoped provider keys where possible, and require explicit confirmation before adding provider credentials or deleting canvases.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs users to POST third-party provider API keys to babblebrush for storage, but it does not clearly and prominently warn that those secrets are being transmitted to and retained by a remote service under the service operator's control. Even though it says keys are encrypted and stored securely, that is not equivalent to informed consent about secret transmission, storage, billing implications, and trust boundaries.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill documents permanent canvas deletion with no explicit warning that the action may be irreversible and may destroy image history, versions, and related data. In an agent setting, this increases the risk of accidental destructive actions because the API example normalizes deletion without requiring confirmation or emphasizing consequences.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal