图片检索技能（KuMa定制版）

Security checks across malware telemetry and agentic risk

Overview

The skill performs image search as advertised, but local images can be automatically uploaded to public third-party image hosts without a clear consent step.

Review before installing. Use this only for images you are comfortable sending to SerpAPI and, for local files, to freeimage.host or imgbb. Avoid private photos, IDs, documents, proprietary screenshots, or confidential images unless the skill is changed to require explicit confirmation or to accept only already-public image URLs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 83% confidence
Finding: The skill documentation declares only environment requirements in metadata while the documented behavior clearly includes outbound network access to SerpAPI and image hosting services. Undeclared network capability is security-relevant because it can transmit user-provided images and metadata off-platform without explicit permission gating or review. In an image-analysis skill, network access is expected, but failing to declare it reduces transparency and weakens policy enforcement.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The documented purpose says the skill performs Google Lens search via SerpAPI, but the behavior also includes uploading local files to third-party hosting services, optional use of another API key/service, and returning OCR/text extracted from images. This mismatch is dangerous because users or orchestrators may provide sensitive local images assuming only SerpAPI is involved, when in fact the content may be published to external hosts and additional data may be extracted and exposed. Given the skill's context, handling local images makes this especially sensitive because photos commonly contain personal, proprietary, or location-revealing information.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The script silently changes behavior for local files by uploading them to third-party image hosts before sending the resulting URL to SerpAPI. That is a material data-flow expansion beyond the advertised Google Lens search capability and can expose sensitive images to additional external services, retention policies, and public accessibility risks.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The code includes an unrelated fallback upload path to freeimage.host using a hardcoded public API key, which broadens external data exposure without being central to the stated function. Hardcoding a shared third-party upload credential also reduces accountability and makes the privacy and lifecycle of uploaded user content unclear.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README states that local image files are auto-uploaded to third-party hosting services to obtain a searchable URL, but it does not clearly warn users that their local content will leave the system and be shared with external providers. In an agent skill context, users may submit sensitive photos containing personal, confidential, or regulated data, so silent or poorly disclosed exfiltration to public/third-party image hosts creates a meaningful privacy and data-leak risk.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger description says the agent will automatically use the skill when users send images asking broad questions like 'what is this?', which can overlap with ordinary conversation and cause the skill to run without sufficiently specific user intent. Because this skill may upload local images to third parties, overly broad auto-invocation increases the chance of unintended data disclosure and unexpected external API calls.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The usage examples encourage passing local image paths, but the documentation does not warn that those files may be uploaded to public third-party hosting to obtain a searchable URL. That creates a real risk of unintended disclosure of sensitive images, embedded metadata, documents, screenshots, or personal photos. In this skill, the danger is elevated because local-file support invites users to submit exactly the kind of private content that should not be silently externalized.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: For local files, the tool transmits image contents to third-party hosting services without an explicit user-facing warning at the decision point. In an image-search skill, users may reasonably expect analysis by the named provider, not publication or transfer to additional external hosts, which raises significant privacy and confidentiality concerns.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal