Comic To Realistic

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward image-conversion API wrapper, but users should know their image URL and prompt are sent to an external NGMob service.

Install only if you trust the NGMob API service and are comfortable sending the provided image URL and prompt to that provider. Use a service-specific API key, watch for usage costs, and avoid submitting private, sensitive, copyrighted, or identifying images unless you have permission and accept the provider's handling of that content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The manifest transmits user-supplied image URLs and prompts to a third-party API, but the skill description and schema provide no user-facing disclosure, consent mechanism, or data-handling notice. Because image URLs and prompts may contain sensitive personal, copyrighted, or identifying content, this creates a real privacy and data-governance risk even if the transmission is functionally required for the skill.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal