Image Handler

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward local image-processing skill, with expected file reads, metadata inspection, and output-file creation.

Install this only if you want an agent to work with local image files. Confirm input and output paths before conversions, keep originals when stripping metadata or batch converting, and remember EXIF metadata can contain private location or device information.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger description is broad enough to activate on generic mentions of image files or extensions, which can cause the skill to be invoked outside the user's actual intent. In an agent setting, over-broad routing can lead to unnecessary file handling or image-processing actions being suggested or performed on unintended inputs.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill presents a metadata-deletion command as a simple operation without warning that it irreversibly removes EXIF and other properties that may be important for provenance, geolocation, orientation, or forensic use. In a workflow-driven agent, a user may run this command expecting a reversible cleanup and permanently lose data needed later.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal