Back to skill

Security audit

doubaoimg

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: uses Doubao in a browser to generate an image, saves it locally, and returns the saved path.

Install this if you want the agent to operate Doubao’s web chat for image generation and save the result locally. Avoid sensitive prompts unless you are comfortable sending them to Doubao, use a deliberate output path when possible, and be aware it may use your logged-in Doubao browser session.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill directs the agent to download a remote image and write it to a local filesystem path, including a silent default path under the workspace, without requiring explicit user confirmation at write time. This creates an unauthorized filesystem side effect and may cause unexpected local file creation or overwriting if the output path is inferred or user-controlled without safeguards.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.