Back to skill

Security audit

Image-crawler

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed image crawler that downloads images to a chosen local folder and keeps deduplication state there.

Use a dedicated output directory, choose image counts carefully, and avoid shared or sensitive folders if the search terms are private. Delete .dedup_hashes.json in the output folder if you want to remove the retained deduplication history or reset cross-run skipping.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description says it downloads and deduplicates images, but it does not clearly warn users that it will write potentially large numbers of files plus persistent deduplication metadata to disk across runs. This can surprise users, consume storage, and leave lasting local artifacts that affect later executions or expose sensitive search intent through saved metadata.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.