picture-book-maker

Security checks across malware telemetry and agentic risk

Overview

This picture-book skill is mostly aligned with its purpose, but its packaging script can fetch arbitrary URLs and can read metadata-specified local paths, which is too broad for untrusted book projects.

Review before installing. Use it only with metadata and image sources you trust, prefer local images under the intended pages directory, and avoid running the packer on downloaded or user-supplied book folders until URL fetching is opt-in and constrained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill documentation and dependency block indicate capabilities to read/write local files and access the network, but no explicit permissions or user-consent boundaries are declared. In an agent setting, undeclared file and network access increases the risk of surprising side effects, including writing arbitrary output and fetching remote resources without clear authorization.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The skill claims to provide a full picture-book creation workflow, but the documented executable behavior centers on packaging and remote image retrieval. This mismatch is dangerous because users and orchestration systems may trust the broader description while the actual operational risk includes network downloads and file generation that are not foregrounded as the primary behavior.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script downloads arbitrary HTTP(S) URLs from untrusted metadata, which introduces server-side request forgery style behavior and outbound network access in what otherwise appears to be a local packaging tool. An attacker controlling metadata.json can force requests to internal services, cloud metadata endpoints, or attacker-controlled hosts, causing data exposure, network probing, or unexpected network dependency.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The trigger conditions are broad enough to overlap with ordinary story-writing or picture-book requests, which can cause unintended invocation of a skill that performs filesystem writes and may later initiate network activity. In an agent ecosystem, overbroad auto-triggering raises the chance that users are exposed to side effects they did not intend.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill documents downloading images from external URLs with retries, but it does not warn about privacy, metadata leakage, or the security implications of contacting third-party hosts. This can expose user-provided content, agent IP/network metadata, and create SSRF-like risks if arbitrary URLs are accepted.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal