GPT Image Generator

Security checks across malware telemetry and agentic risk

Overview

The skill is aimed at image generation and shows no malware behavior, but it asks to control the user's everyday logged-in Brave browser, which is broader access than this task needs.

Review before installing. Use this only if you are comfortable letting the agent control a logged-in Brave session. Prefer a separate Brave profile or browser instance for ChatGPT, close sensitive tabs first, and relaunch Brave without remote debugging after use. Generated images are saved under /tmp/openclaw and the workflow sends the result through the configured Feishu message target.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill instructs attachment to the user's everyday Brave session over remote debugging, which can expose all open tabs, cookies, authenticated sessions, browsing history, and page content to automation. Because it reuses a daily browser rather than an isolated profile, compromise or misuse could lead to cross-site account access and unintended data disclosure well beyond image generation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal