Tool Parameter Abuse
High
- Category
- Tool Misuse
- Content
可选参数: - `--max-mb N`:单图最大体积(默认 `25`),超限则失败,防止误抓大文件。 - `--no-verify-ssl`:下载时关闭 SSL 校验(仅在内网/代理异常时慎用)。 - `--timeout SEC`:下载超时秒数(默认 `60`)。 ## Agent 工作流
- Confidence
- 94% confidence
- Finding
- --no-verify
image-url-qiniu
Security checks across malware telemetry and agentic risk
Overview
This skill does what it says: copies a user-provided image URL into a configured Qiniu bucket, with a documented TLS-bypass option users should avoid.
Safe to install if you trust the runtime with Qiniu upload credentials. Use a dedicated bucket or restricted key/prefix, keep the bucket's public-read behavior intentional, only mirror URLs you are authorized to use, and avoid --no-verify-ssl except for a clearly understood debugging case.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)
VirusTotal
67/67 vendors flagged this skill as clean.