Back to skill

Security audit

Picgo Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a purpose-built PicGo image upload skill, with the main risk being that users should understand selected local images will be uploaded.

Install only if you intend to use PicGo for image uploads. Before using it, confirm each image path is one you want uploaded, and check your PicGo configuration to understand which remote image host will receive the files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill description says it should be used whenever the user needs to upload images, which is broad enough to match many ordinary requests without clearly constraining when the skill should activate. In an agent setting, overly broad triggering can cause unintended invocation and unexpected transmission of local files to a local service, especially when the user did not explicitly ask for this specific upload path.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explains how to pass local image paths to the script but does not clearly warn that the image contents and related path-selected data will be sent to the PicGo server API. This creates a meaningful data-handling risk because users or higher-level agents may treat the action as local-only, when it actually transmits potentially sensitive local files to another service for further upload.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.