Back to skill

Security audit

doubao-seedream-skill

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Volcengine Seedream image-generation skill, but it sends prompts and optional reference images to an external API and saves generated images locally.

Install only if you are comfortable using a Volcengine API key and sending prompts, image URLs, and any local reference images to Volcengine. Avoid secrets, personal data, or regulated images in prompts or uploads, use --tools/web_search only deliberately, and choose an output directory where generated files can safely be stored.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill explicitly requires an API key from the environment and performs outbound network requests, yet it does not declare permissions or equivalent execution boundaries. This can cause the host agent to invoke a capability-bearing skill without clear authorization, reducing visibility into secret access and data egress.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The skill is described as an image-generation tool, but it also permits model-side tools via the tools parameter, including web_search. That expands the skill's effective capability beyond its stated purpose, which can cause unanticipated outbound data exposure or retrieval behavior when prompts and possibly related context are sent to a tool-enabled remote model.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
Exposing web-search capability in a skill whose stated purpose is only image generation violates least functionality and increases the attack surface. In context, this makes the skill more dangerous because users may provide sensitive prompts or references expecting only image synthesis, not network-augmented processing by the upstream model.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README documents use of an external image-generation API but does not clearly warn users that their prompts are transmitted to a third-party service and that generated images are automatically saved locally. This can lead to unintentional disclosure of sensitive prompts or creation of sensitive files on disk, especially in agent or automated environments where users may assume local-only processing.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The activation description says the skill should be used whenever the user needs image generation, which is broad enough to overlap with ordinary requests and may cause automatic invocation without sufficient user awareness. In a skill that sends prompts and possibly image inputs to a third-party API, overbroad triggering increases the risk of unintended external data disclosure and unexpected costs.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The example trigger phrase '生成一张xxx图片' is underspecified and does not define boundaries for similar conversational phrasing, making misfires more likely. Because this skill can transmit prompts, reference images, and possibly use web search, accidental triggering can expose user data or perform unwanted external actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation states that the skill directly calls an external API and downloads generated images locally, but it does not clearly warn users what data may be transmitted, retained, or exposed to third parties. This is particularly important because prompts, reference image paths/URLs/Base64 content, and optional web search queries may all contain sensitive information.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Reference images supplied as file paths are automatically converted to base64 and uploaded to the remote API, but the interface does not clearly warn users that local files will leave the host. This is a real privacy and data-handling issue because users may accidentally transmit sensitive local images under the assumption that processing is local or that only prompts are sent.

External Transmission

Medium
Category
Data Exfiltration
Content
"size": "2048x2048"
}

response = requests.post(API_URL, headers=headers, json=data)
result = response.json()

if "data" in result:
Confidence
91% confidence
Finding
requests.post(API_URL, headers=headers, json=

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.