Filtrix AI Image Generation

Security checks across malware telemetry and agentic risk

Overview

This skill coherently generates and edits images through named external AI providers using user-provided API keys, with no evidence of hidden persistence, deception, or unrelated data access.

Install only if you are comfortable sending prompts, selected images, masks, and related metadata to OpenAI, Google, or fal.ai using your own API keys. Set only the provider keys you intend to use, avoid sensitive or regulated images unless provider terms are acceptable, monitor API costs, and verify input/output paths before running edits.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (11)

Tainted flow: 'url' from os.environ.get (line 175, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: if not b64: url = result.get("data", [{}])[0].get("url") if url: with urllib.request.urlopen(url) as img_resp: return img_resp.read() raise RuntimeError("No image data in OpenAI edit response")
Confidence: 88% confidence
Finding: with urllib.request.urlopen(url) as img_resp:

Tainted flow: 'req' from os.environ.get (line 229, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: req = urllib.request.Request(url, data=payload, headers={"Content-Type": "application/json"}) try: with urllib.request.urlopen(req) as resp: body = json.loads(resp.read()) except urllib.error.HTTPError as e: err_body = e.read().decode()
Confidence: 87% confidence
Finding: with urllib.request.urlopen(req) as resp:

Tainted flow: 'url' from os.environ.get (line 125, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: # Try URL fallback url = body.get("data", [{}])[0].get("url") if url: with urllib.request.urlopen(url) as img_resp: return img_resp.read() raise RuntimeError("No image data in OpenAI response")
Confidence: 92% confidence
Finding: with urllib.request.urlopen(url) as img_resp:

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill documentation describes use of environment variables, local file input/output, and networked calls to external AI providers, but it declares no permissions. That creates a transparency and enforcement gap: users or host systems may invoke the skill without understanding that it can read API keys, read local images, write output files, and transmit data off-host.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The declared purpose says the skill generates images, but the documented behavior also supports editing existing local images and masked inpainting. That mismatch matters because image editing requires reading user-supplied local files and may process more sensitive content than a user expects from a generation-only skill.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README instructs users to provide API keys and submit prompts and images to external AI services, but it does not clearly disclose that those inputs are transmitted to third-party providers. In an agent skill context, users may reasonably assume local-only processing, so the missing transparency can lead to unintended disclosure of sensitive text, images, or metadata.

Vague Triggers

Medium

Confidence: 76% confidence
Finding: The invocation description uses very broad trigger phrases such as 'create', 'make', 'picture', and 'visual content'. Overbroad routing can cause the skill to activate for loosely related requests, increasing the chance that user prompts or attached images are sent to external providers unintentionally.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation explains provider setup and usage but does not clearly warn that prompts and, for edit mode, input images are transmitted to OpenAI, Google, or fal.ai. This is a significant privacy issue because users may supply sensitive text or local images without realizing they will leave the local environment and be processed by external services.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The guidance documents the Gemini endpoint and API key usage but does not warn that user prompts and generated image content are transmitted to a third-party provider, which can expose sensitive or regulated data. In an image-generation skill, users may submit private photos, proprietary concepts, or identifying details, so omission of a privacy disclosure can lead to unintended data sharing and compliance issues.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill transmits user-supplied images and prompts to external AI providers, but the code provides no explicit user-facing consent, warning, or privacy notice at the point of transfer. In an agent context, users may not realize local images are leaving the environment, which increases privacy and data handling risk.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: User prompts are transmitted to external image-generation providers, but the script does not present an explicit notice at runtime that prompt contents will leave the local environment and be processed by third parties. In an agent skill context, users may assume local handling, so this creates a real privacy and consent risk, especially if prompts contain sensitive information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal