Filtrix Image Generation

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it says, but it needs Review because one fal.ai editing path silently disables a provider safety checker and the docs understate that prompts and local images are sent to outside AI services.

Install only if you are comfortable sending prompts and chosen images or masks to OpenAI, Google Gemini, or fal.ai under those providers' terms. Set only the API keys you plan to use, avoid sensitive or regulated images, choose output paths carefully, and review or patch the fal.ai edit path before relying on it because it disables a provider safety checker by default.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Tainted flow: 'url' from os.environ.get (line 175, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: if not b64: url = result.get("data", [{}])[0].get("url") if url: with urllib.request.urlopen(url) as img_resp: return img_resp.read() raise RuntimeError("No image data in OpenAI edit response")
Confidence: 88% confidence
Finding: with urllib.request.urlopen(url) as img_resp:

Tainted flow: 'url' from os.environ.get (line 125, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: # Try URL fallback url = body.get("data", [{}])[0].get("url") if url: with urllib.request.urlopen(url) as img_resp: return img_resp.read() raise RuntimeError("No image data in OpenAI response")
Confidence: 86% confidence
Finding: with urllib.request.urlopen(url) as img_resp:

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill advertises and documents access to environment variables, local files, filesystem output, and outbound network calls, but no permissions are declared. That creates an authorization and review gap: users or platforms may not realize the skill can read API keys, upload prompts/images to third-party services, and write artifacts to disk. In this context, the capability set is expected for an image-generation skill, but the lack of explicit permission declaration still weakens transparency and enforcement.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 87% confidence
Finding: The description says the skill generates images, but the documented behavior also includes editing existing local images, mask-based inpainting, and writing outputs to arbitrary paths. This mismatch can cause users, reviewers, or policy systems to underestimate the skill's access to local content and its ability to transform files, which increases the chance of unintended data exposure or misuse. The image-editing behavior is functionally related to the skill's purpose, so this is more a transparency/control issue than evidence of malicious intent.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README instructs users to configure API keys and use remote image generation/editing providers, but it does not disclose that user prompts and uploaded images will be transmitted to third-party services. In an agent skill context, users may assume local processing or fail to appreciate that sensitive text or images could leave their environment, creating privacy, compliance, and data-handling risks.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill does not clearly warn users that prompts, input images, masks, and related content may be sent to third-party AI providers using API keys from the environment. This is a real privacy and data-governance risk, especially for image-editing workflows involving local files that may contain sensitive or proprietary content. The risk is elevated by support for multiple external providers and local image upload/edit operations.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill transmits user prompts and image contents to external AI providers, but there is no explicit runtime consent or warning in the code path. In an agent context, users may not realize sensitive images or prompts are leaving the local environment, making accidental privacy and compliance violations more likely.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The script writes provider-controlled binary output to an arbitrary user-supplied path with no path restrictions or confirmation. In an agent context, a malicious or confused caller could overwrite sensitive files accessible to the running account, making this more dangerous than in a purely local interactive CLI.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal