Back to skill

Security audit

Meitu Skills

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Meitu media-generation toolkit, but it deserves Review because it combines credential use, third-party media processing, broad local reads, and persistent memory writes with some under-scoped controls.

Install only if you are comfortable giving the skill access to Meitu credentials, sending provided media and selected local context to Meitu OpenAPI, and allowing generated outputs plus some preference/project memory to persist locally. Use environment-variable credentials where possible, avoid sensitive personal or proprietary images unless third-party processing is acceptable, and review or disable shared visual memory/profile use in shared workspaces.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (271)

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The skill metadata states that project creation writes should occur only when explicitly requested, but later workflow steps instruct automatic updates to local project files such as DESIGN.md on each execution. This mismatch weakens user consent and can cause unintended persistence of prompts, project context, or generated decisions to disk.

Intent-Code Divergence

Medium
Confidence
75% confidence
Finding
The protocol presents inconsistent storage behavior: earlier sections say not to auto-create the visual workspace, while later sections allow falling back to the current directory and manually scaffolding a project there. In an agent setting, this ambiguity can lead to unintended writes outside the intended memory root, including into arbitrary working directories that may be synced, shared, or contain sensitive code.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The skill claims it should trigger only for explicit personalized visual workflows, but the examples allow generic requests like "帮我画" to auto-route into the skill. This broadens activation beyond clear user intent and can cause unintended reading of local memory/profile files and transmission of derived context to the remote Meitu API.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The preflight says videos are not supported and tells users to send a screenshot, while later sections explicitly support image-to-video and motion-transfer workflows. This inconsistency can lead to incorrect gating, user confusion, and unsafe handling decisions around media types, especially where remote upload behavior differs between images and videos.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The file says PROFILE.md should contain only confirmed facts, but the template also instructs storing 'identified from reference photo' features and an 'extracted' tone from feedback. That creates a mismatch between stated policy and actual behavior, increasing the chance the agent records inferred sensitive attributes as facts without explicit user confirmation.

Scope Creep

Medium
Confidence
92% confidence
Finding
The Deliver section documents moving generated files to `{output_dir}/{YYYY-MM-DD}_{descriptive-name}.tsx`, while the earlier output_dir logic includes `~/.openclaw/workspace/visual/output/text-code/`. That concrete subpath is not covered by the declared file_write permissions, creating a mismatch between documented behavior and the sandbox/permission model that can lead to writes outside the approved scope or failed enforcement.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README states that the skill may read user profiles and daily memories and send selected local context to Meitu OpenAPI, but it does not clearly require informed consent, minimization, or sensitivity checks before transfer. In a personal-assistant setting, this can lead to privacy violations or unintended disclosure of sensitive personal data to a third-party service.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The catalog uses several everyday-language aliases that are broad enough to match user requests outside the intended tool scope. In an agentic runtime, this can cause the wrong tool to be auto-invoked, leading to unintended media modification or generation actions based on ambiguous natural language.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The alias "提亮" is highly ambiguous because users may mean local exposure edits, color grading, low-light recovery, or general quality improvement. A vague trigger like this increases the chance of misrouting requests to the low-light enhancement tool, producing unexpected edits and reducing user control over image processing.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The alias "加水印" is ambiguous because watermarking can reasonably apply to both images and videos, yet it is attached here to a video-only tool. In a natural-language router, this can cause incorrect tool selection and unintended processing of the wrong media type or workflow.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill description says it should only trigger for explicit low-light, night, or underexposure repair requests, but the routing keywords include the generic term '提亮'. That broadens activation beyond the declared constraint and can cause the skill to run on ordinary brightness or color-edit requests, sending user images to an external API when the user did not specifically ask for low-light enhancement.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly declares sensitive file reads for credential material and write access to workspace/output locations, but the user-facing description only discusses portrait generation and does not clearly disclose these operations. This creates a transparency and consent problem: users may invoke the skill without understanding that local secrets and files will be accessed and artifacts will be persisted.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger description is very broad and overlaps with common conversational phrases about image editing and style changes, which can cause unintended activation of the skill. In this skill's context, accidental invocation is more concerning because the skill can execute an external binary, read local files, and send user-supplied images to a third-party API.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill requests credential access, file reads/writes, and external command execution, but the user-facing description does not clearly disclose these behaviors or associated risks. This reduces informed consent and can lead users to unknowingly authorize local resource access and third-party processing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The execution flow sends user images and prompts to an external API for processing, but there is no privacy notice or data transfer disclosure. Because images may contain sensitive personal or proprietary information, undisclosed third-party transmission increases privacy and compliance risk.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger description is very broad and includes common phrases like making an image clearer, HD repair, and upscale to common resolutions, which can cause the skill to activate in situations the user did not intend. Because the skill also invokes an external service and writes outputs, accidental invocation increases the chance of unnecessary data transfer and processing of sensitive images.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill declares that it reads local credential files and calls an external Meitu service, but the user-facing description does not warn users that images may be sent to a third-party processor and that local credentials are accessed. This undermines informed consent and can expose sensitive images or operational secrets in contexts where users expect only local processing.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill explicitly requires API credentials, reads local credential/config files, and invokes an external CLI/service, but the user-facing description and workflow do not clearly disclose these behaviors. This can mislead users about data flow and trust boundaries, causing them to provide images or run the skill without informed consent about credential use and external transmission.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The skill writes modified images into workspace/output locations and renames/moves downloaded files, but does not clearly warn users where artifacts will persist. This creates a privacy and operational risk because edited images may remain on disk in predictable locations without the user's awareness.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The manifest requests access to credentials, local file reads/writes, and command execution, but the user-facing description only presents a media-generation capability and does not disclose these sensitive permissions. That creates a consent and transparency gap: a user may invoke the skill without understanding it can read credential files and execute an external CLI with those secrets available.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill relies on external Meitu API credentials and processes user-supplied images through an external service, but the user-facing description does not clearly disclose that image data may leave the local environment. This can create a privacy and consent problem, especially for sensitive or proprietary images.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to create directories/files and persist user-derived observations without requiring an explicit user-facing notice or consent at write time. Even though the content is framed as product memory, silent persistence of preference data can surprise users, create unwanted long-lived records, and expand the blast radius if the memory store is later accessed, reused, or synced.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The promotion flow writes distilled preferences into scene/global memory files and deletes the source observation entry, but the documentation does not require a clear safety notice describing these persistent changes and their consequences. This is risky because it converts ephemeral interaction history into broader persistent profile data, potentially across projects/scenes, and removes intermediate records in a way users may not fully understand.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger terms for passport and visa types overlap heavily (for example, generic terms like '护照' and '出入境'), so the agent may resolve a user's request to the wrong photo specification. In this skill context, that can cause generation of an ID photo with incorrect size, ratio, or background, which may lead to document rejection or user harm through reliance on inaccurate official-document formatting.

Vague Triggers

Low
Confidence
78% confidence
Finding
The fallback rule '推断不出 → 默认白色' applies a broad default even when the document type is uncertain, which can silently produce a noncompliant background color. In an ID-photo generation skill, silent defaults are risky because users may trust the output for official submissions, and a wrong background can invalidate the photo.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
meitu-tools/SKILL.md:46

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
references/routing-guide.md:60

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SKILL.md:23