Image Compressor

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned for image compression, but it may send user images or image URLs to an external paid service without enough disclosure or consent.

Review this before installing if you may process private images. Use it only when you are comfortable sending the image or image URL to the service provider and potentially consuming paid quota; prefer a local compressor for sensitive images.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The usage example includes the broad trigger phrase "Reduce image size," which can match ordinary user requests and cause the skill to activate unexpectedly. Because this skill sends image data or URLs to an external compression service and charges per call, over-broad triggering can lead to unintended data disclosure and unauthorized spending.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill does not warn users that image URLs or image content may be transmitted to a third-party service for processing. In this context, that omission is more dangerous because the skill is externally integrated, returns a CDN-hosted output URL, and charges per use, so users may unknowingly expose sensitive images and incur costs.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal