Back to skill

Security audit

Kart Io Picture Book Wizard

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed bilingual picture-book generation skill that saves generated markdown locally, with no evidence of hidden network access, credential use, background execution, or automatic destructive behavior.

Install this only if you want a Chinese/English children's picture-book workflow and are comfortable with generated stories being saved under ./output/picture-books/. Avoid putting private personal details into prompts unless you are comfortable with local retention, and treat the watermark guidance as applying only to original generated images, not removing provenance from someone else's work.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The template mandates creating and writing markdown files for every run, which expands the skill from content generation into persistent filesystem modification. That creates privacy and safety risk because user-provided story content, names, themes, or sensitive educational material may be stored locally without explicit request or consent, and the write behavior could be triggered automatically in broader agent workflows.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Always-on local persistence is not necessary for merely generating picture book content and therefore introduces unnecessary data exposure and side effects. In agent environments, persistent writes can accumulate sensitive user content, create audit and cleanup burdens, and increase the attack surface if other tools or users can read those files.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The file injects strong prompt directives to remove watermarks, logos, signatures, branding, copyright symbols, and URLs while also demanding publication-ready, unmarked output. In an image-generation skill, this can facilitate removal or suppression of provenance and rights-management markers from generated or transformed content, expanding the skill beyond benign story generation into potentially infringing content laundering behavior.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This script deletes documentation files from the repository, including language-specific guides, even though a picture-book generation skill does not need destructive repository-maintenance behavior to fulfill its stated purpose. In an agent or packaged-skill context, shipping a deletion script increases the risk of accidental or unauthorized content loss, especially if a user runs it without understanding that it removes source documentation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The template instructs the system to write markdown files but does not warn users that their generated content will be saved to disk. This lack of transparency can lead to inadvertent storage of personal or sensitive content and prevents users from making an informed choice about persistence in environments where local files may be accessible to others or synced externally.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation says all generated content is automatically written to disk, but provides no warning, opt-in, or confirmation flow. Silent persistence can expose sensitive prompts or generated material, create unwanted artifacts on shared systems, and violate user expectations about a content-generation skill that appears read-only from its description.

Natural-Language Policy Violations

Medium
Confidence
86% confidence
Finding
The file hard-codes a requirement that every character be a 'Chinese' boy/girl and requires Chinese-name metadata, which bakes a demographic identity constraint into the system without user choice or documented necessity. In a children's picture-book generation skill, this can create unfair exclusion, stereotyping, and forced identity assignment across outputs, especially if the skill is used in broader or multilingual contexts.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
The registration workflow mandates that all characters include both Chinese and English content, with no opt-in, fallback, or limited applicability. This creates a systemic policy constraint that can pressure all generated content into one cultural/linguistic framing and may lead to inappropriate demographic assumptions for users outside the intended scope.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The example repeatedly encodes gendered role expectations by presenting Xiaoming as the adventurous, active option for boys while contrasting girl characters as gentler, more contemplative, or more creative. In a children's educational content skill, this can systematically bias generated outputs toward stereotyped gender roles, reinforcing exclusionary norms and limiting representation for users.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The examples hard-code Chinese ethnicity, names, physical traits, and culturally specific clothing/contexts as the default character template without presenting this as an optional locale profile. In a content-generation skill, this can systematically bias outputs, reduce user autonomy, and lead the agent to produce exclusionary or stereotyped content for unrelated requests.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The extension activities encourage 5-6 year olds to participate in dumpling-making and chopstick games involving kitchen tools, food, and small objects, but provide no supervision or safety guidance. In a child-focused educational skill, omission of basic cautions can contribute to avoidable harms such as minor cuts, burns, choking, or unsafe food handling if caregivers treat the suggestions as ready-to-use instructions.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The guide hard-codes ethnicity, age, names, and culturally specific defaults for character templates rather than treating them as optional user-controlled parameters. In a general-purpose picture-book generation skill, this can systematically override user intent, produce biased or exclusionary outputs, and create unsafe demographic steering at scale.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The examples and reusable templates consistently enforce Chinese ethnicity and cultural settings without an opt-in path, which means downstream prompt construction is likely to embed those traits even when the user requested something else. Because this file is operational guidance for prompt assembly, the bias is not incidental text but a systematic generation rule affecting many outputs.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
Mandating immediate application 'for all multi-character stories' amplifies the risk by turning a context-specific template set into a universal rule. This broadens the chance of culturally inappropriate, biased, or mismatched outputs across the entire skill, making the issue more dangerous in this skill's general picture-book authoring context.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The guide instructs implementers to modify the workflow to generate trilingual output without requiring explicit user selection or opt-in. In an agent setting, that can cause silent scope expansion, unexpected disclosure of user content into additional locales, and prompt/output manipulation that no longer matches user intent or policy constraints.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.