妙达文字生成图片

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward image-prompt helper, with the main caution that it relies on a separate image-generation CLI and external processing.

Install only if you trust the `miaoda-studio-cli` npm package and the service behind it. Avoid putting confidential, personal, regulated, or proprietary information into prompts unless you are comfortable with that data being processed by an external image-generation provider.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger list includes very broad everyday phrases such as '生成图片', '画图', '画一张', and '做一张图', which can cause the skill to activate in contexts the user did not intend. Over-broad triggering can route unrelated user content into this skill, leading to unintended prompt construction, accidental remote API use, or disclosure of user-provided text to the image-generation backend.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs users to use a CLI-based image generation workflow but does not clearly warn that prompts may be sent to a remote service for processing. Users may include sensitive business data, personal descriptions, or proprietary creative concepts in prompts without realizing that this information could be transmitted, logged, or retained by a third-party backend.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal