Doubao Seed Skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Doubao image-analysis skill with ordinary external API, API-key, binary-install, and temporary-file handling risks.

Install only if you trust the GitHub Release binary and publisher. Use a dedicated API key, avoid sensitive or regulated images unless the provider handling is acceptable, prefer unique private temporary output files, and delete result files after use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly instructs agents to write model output derived from user-supplied images into predictable temporary files under /tmp. On multi-user systems or shared environments, temporary files may be readable by other processes or left behind after execution, causing unintended persistence and disclosure of potentially sensitive image analysis results.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal