Free Image Generation Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a straightforward remote image-generation skill that sends prompts to Perchance and saves the returned image locally.

Install only if you are comfortable sending image prompts to an unofficial Perchance endpoint and installing a user-level Python dependency. Avoid secrets or sensitive personal data in prompts, and save outputs to a dedicated folder to avoid overwriting important files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill advertises and instructs execution of scripts that perform network access and write files locally, but it does not declare those permissions explicitly. This creates a transparency and policy-enforcement gap: an agent or reviewer may approve or run the skill without understanding that it can reach external services and create or overwrite local files.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script transmits the user-supplied prompt and related generation parameters to a third-party unofficial remote service, but its output does not clearly disclose that external transmission is occurring. In an agent setting, users may assume prompts are handled locally; this can expose sensitive or confidential prompt contents to an untrusted provider and create privacy, compliance, and data-handling risks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal