Back to skill

Security audit

万相 2.6 生成微信公众号封面图

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it uses Alibaba DashScope to generate images, then saves the generated files locally, with the main risks disclosed.

Install only if you are comfortable sending prompts and article text to Alibaba DashScope. Use a dedicated, quota-limited API key, keep .env files private, avoid sensitive or regulated content in prompts, and prefer an isolated Python environment if you want tighter dependency control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill documentation describes capabilities to read environment variables and local .env files, write generated images to the filesystem, invoke shell commands, and call external network APIs, but it does not declare permissions. This creates a transparency and consent problem: a host or user may authorize the skill without understanding that it can access secrets and local files and make outbound requests, increasing the risk of secret exposure or unintended file/network actions if the implementation is unsafe or compromised.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The skill performs a side effect not clearly disclosed by its description: it downloads remote image URLs and writes files to local disk automatically. In an agent/skill context, undisclosed filesystem writes can surprise users, consume storage, and create persistence of remote content that may contain untrusted or inappropriate data.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill loads environment variables from multiple local .env locations, including shared user directories unrelated to this specific skill. In an agent setting, this broad credential harvesting behavior exceeds the minimum needed for image generation and increases the chance that unrelated secrets are silently imported into process scope and later exposed to logs, errors, or downstream libraries.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
User-provided title/content/description values are sent to a third-party image-generation API, and the code even enables prompt rewriting via prompt_extend=True. If users paste proprietary, personal, or sensitive text, that data is transmitted off-host without any explicit consent flow or warning, creating a privacy and data-handling risk.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.