Back to skill

Security audit

Chatgpt Imagegen

Security checks across malware telemetry and agentic risk

Overview

The skill is for image generation, but it tells agents to silently download and run an unpinned CLI and can use the user's ChatGPT/Codex session without a clear approval step.

Install only if you are comfortable with an agent downloading the CLI from GitHub at runtime and using your logged-in ChatGPT or Codex session to generate images. Prefer reviewing or installing the CLI yourself from a trusted, pinned source, and use explicit backend settings if you want to avoid Codex quota or browser-session access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs the agent to silently fetch and install an executable from a remote GitHub URL when the CLI is missing, without user approval or integrity verification. That expands the skill from image generation into arbitrary software acquisition and code execution, creating a supply-chain and silent-install risk.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill tells agents to proactively generate illustrations in the background even when the user did not request image generation. This can trigger unapproved external actions, consume the user's subscription quota, and create files in the workspace without clear consent.

Missing User Warnings

High
Confidence
99% confidence
Finding
This is a direct silent-install pattern: if the CLI is absent, the agent is told to download it via curl and make it executable without warning the user. Silent installation of executable code is dangerous because it bypasses user authorization and exposes the environment to remote-code and supply-chain compromise.

Agent Config Directory Access

High
Category
Agent Snooping
Content
| Backend | Surface | Usage bucket | Needs | Speed |
| --- | --- | --- | --- | --- |
| **`web`** | Drives the user's logged-in ChatGPT browser (via **`chrome-use`**, formerly `agent-browser-stealth`; older installs expose the same binary as `agent-browser`/`abs`) and generates in a regular chat — the same surface as typing in the app. Its real-Chrome connect is what clears Cloudflare + the sentinel proof-of-work a plain/headless client can't. | **ChatGPT conversation** — does **not** consume the metered Codex-usage limit. Works on **any** account, **including free tier** (subject to its daily image cap). | `chrome-use` installed and its extension connected to a Chrome **signed in to chatgpt.com**. | ~30–60 s; each run's chat is filed under a ChatGPT **Project** (default `imagegen`, auto-created) instead of littering the history. |
| **`codex`** | Headless POST to `chatgpt.com/backend-api/codex/responses` with the `image_generation` tool, reusing `~/.codex/auth.json`. | **Codex-usage** (metered — this is the bucket the user usually wants to spare). | `codex login` (writes `~/.codex/auth.json`). | Fast; no browser, no history. |

**Default is `auto`** (`--backend auto`, or `CHATGPT_IMAGEGEN_BACKEND`): it tries **web first** because that spares the Codex-usage limit, and falls back to **codex only when web is unavailable** — i.e. `chrome-use` isn't installed, the browser isn't reachable, or chatgpt.com isn't logged in. The two not-set-up cases are handled explicitly:
Confidence
88% confidence
Finding
less POST to `chatgpt.com/backend-api/codex/responses` with the `image_generation` tool, reusing `~/.codex/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.