GPT Image 2 Prompt Recommender

Security checks across malware telemetry and agentic risk

Overview

This skill is a prompt-search helper with disclosed GitHub data downloads and local reference updates, but no evidence of credential theft, private-data indexing, account mutation, or destructive behavior.

Install only if you are comfortable with the skill contacting GitHub to download and periodically refresh prompt data, and with agents fetching sample images from the downloaded prompt records. In stricter environments, review or pin the reference data first, disable automatic install scripts if your installer supports it, and avoid pasting confidential drafts, credentials, or sensitive personal data into remix requests.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The publishing guide explicitly documents that large reference data is not packaged with the skill and is instead downloaded from GitHub at install time via a postinstall hook. For a prompt-recommendation skill, this creates a capability and trust boundary not reflected in the stated purpose: the effective behavior and content can change after publication based on remote data, reducing reviewability and enabling supply-chain style content changes without a republish.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The documentation states that setup.js silently refreshes the local data copy every 24 hours, meaning the skill's effective dataset can change in the background without a new published version. This undermines transparency and auditability and could expose users to unreviewed prompt content or unexpected network access long after installation.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to execute shell commands and perform remote downloads solely to present prompt preview images, which is unnecessary escalation for its stated purpose. Allowing curl, file writes to /tmp, and shell cleanup expands the attack surface to SSRF-like network misuse, retrieval of malicious content, and unsafe command execution pathways if any inputs become attacker-influenced.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill presents itself as using a local curated library, but it performs recurring remote synchronization from GitHub at runtime and can silently update data in place. This undermines trust in the reviewed local artifact, introduces supply-chain and content-integrity risk, and means behavior can change after installation without a separate review step.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The package presents itself as a prompt-search/library skill, but its metadata and scripts indicate install-time downloading via a postinstall hook. For a content library, automatic network activity during installation expands the trust boundary and creates supply-chain and unexpected side-effect risk, especially in agent/tooling environments where installs may occur implicitly.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: Automatic execution of node scripts/setup.js during postinstall is not clearly required for the advertised prompt recommendation functionality. Postinstall scripts run implicitly on dependency installation and can perform arbitrary code execution, filesystem modification, or network access in the installer's environment, making this a meaningful security risk even if the script is intended only to fetch data.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Automatic background data refresh is described without any user-facing warning about recurring network activity. Even if the downloaded content is only prompt data, undisclosed periodic fetches create privacy, compliance, and supply-chain concerns because installations contact an external service and ingest changing content without informed consent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README explicitly encourages users to paste full articles, video scripts, and notes into the skill, but provides no warning to avoid secrets, personal data, or unpublished/confidential material. In a skill that forwards, searches, remixes, or processes user content alongside externally synced prompt data, this increases the risk of unnecessary disclosure of sensitive information and accidental data exfiltration into logs, model context, or third-party services.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill says stale references are updated silently, without clear user-facing disclosure or consent for outbound network activity. Silent background fetches reduce transparency, make data exfiltration or policy violations harder to detect, and can surprise users or operators in restricted environments.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: Although the description mentions auto-downloads, it does not provide a clear warning about install-time code execution, network access, or system effects. In package ecosystems, users and agents may install dependencies transitively, so insufficient disclosure increases the chance of surprising and potentially unsafe behavior in sensitive environments.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal