Back to skill

Security audit

Photo Grader

Security checks across malware telemetry and agentic risk

Overview

This skill is a local photo-grading helper whose file access, command execution, and output writes match its stated RawTherapee-based purpose.

Install this if you are comfortable with a local tool reading the photo directories and parameter files you provide, running RawTherapee, and writing graded outputs. Prefer using a project virtual environment before running setup_deps.sh, or install tomli manually, so the setup script does not modify your global Python environment unexpectedly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger language is broad enough that the skill could activate for many generic photo-editing requests, including cases where users did not intend shell execution or local file processing. Over-broad activation increases the chance of the agent selecting a high-capability skill inappropriately, which expands attack surface and can lead to unexpected file access or command execution.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script performs `pip3 install tomli` automatically, without an explicit confirmation prompt, which causes network-backed code/package installation as a side effect of a dependency check. In an agent setting, this is risky because it changes the host environment and may install unreviewed packages unexpectedly, especially if package indexes or pip configuration are compromised.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.