表情包回复

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it helps agents add meme images, but it relies on a third-party HTTP image search service.

Install only if you are comfortable with meme queries and image loads going to agentplay.fun. Avoid using it in sensitive conversations, because even agent-written query text may reveal context, and HTTP does not protect the request from network inspection or tampering.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs the agent to make plaintext HTTP requests to a third-party domain and embed remotely fetched images in replies without user notice or consent. This can leak conversation-derived query text, expose users to tracking via remote image loads, and permits content manipulation because HTTP lacks transport integrity and confidentiality.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal