Security audit

Jimeng AI Image Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Jimeng/Volcengine image and video generator, with the main caveat that its metadata does not explicitly declare network/API use.

Install only if you are comfortable storing a Jimeng/Volcengine key for this skill and sending prompts to Volcengine. Use a scoped key where possible, watch quota or billing, avoid secrets or regulated data in prompts, and choose output paths carefully because files may be written or overwritten.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill documentation declares use of Python and an external API but does not declare network permissions, while the described behavior clearly involves outbound API calls to Volcano Engine and likely downloading generated media. Undeclared network capability reduces transparency and weakens permission-based review, which can hide unexpected data egress or make users invoke a skill without understanding its external communications.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal