pony-image

Security checks across malware telemetry and agentic risk

Overview

This is a coherent image-generation skill that sends prompts and uploaded image data to a disclosed external Supabase API, so users should treat submitted content as leaving their device.

Install only if you are comfortable sending prompts, product images, and reference images to the Pony Supabase-hosted service. Avoid submitting confidential, regulated, personal, or unreleased assets unless you trust the service operator and its retention practices; use a dedicated limited key where possible and monitor quota or billing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs sending user prompts plus reference/product images to remote Supabase function endpoints, but it provides no user-facing notice, consent step, retention information, or guidance about sensitive image content. This creates a real privacy and data-handling risk because users may unknowingly transmit proprietary, personal, or regulated content to a third-party service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal