Security audit

03 图像识别

Security checks across malware telemetry and agentic risk

Overview

This image-recognition skill mostly matches its purpose, but cloud upload destinations and API configuration are not fully reviewable from the packaged files.

Review or obtain the missing llm_config.py before installing, because it controls API keys, models, and upload endpoints. Use a virtual environment, pin dependencies, choose one intended provider explicitly, and avoid API mode for private screenshots, IDs, internal documents, or other sensitive images unless you are comfortable sending them to that provider.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger examples are very broad everyday phrases like describing or analyzing images, with no activation boundaries, exclusions, or confirmation requirements. This can cause the skill to activate unexpectedly in unrelated contexts and route user images or screenshots into image-processing flows, increasing the risk of unintended data exposure, especially when API mode may upload content to third-party providers.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The code base64-encodes local image files and sends them to remote OpenAI-compatible vision endpoints, but the CLI and API flow do not clearly warn users that image contents will leave the local machine and be processed by third-party services. This is a real privacy/security issue because users may submit sensitive screenshots, IDs, or internal documents under the assumption that the tool is simply 'image recognition' without explicit transmission disclosure.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The Anthropic integration sends full image contents to Anthropic's remote API without a dedicated warning, consent prompt, or privacy notice at the point of use. In the context of a vision skill marketed as 'safe', this omission increases the risk of unintentional disclosure of confidential or personal data to an external processor.

Unpinned Dependencies

Low

Category: Supply Chain
Content: # AI视觉识别技能依赖 # 核心依赖 Pillow>=10.0.0 # API模式（推荐，功能更强大） openai>=1.0.0
Confidence: 95% confidence
Finding: Pillow>=10.0.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: Pillow>=10.0.0 # API模式（推荐，功能更强大） openai>=1.0.0 anthropic>=0.18.0 # 本地模式（可选，无需API但需要下载模型）
Confidence: 94% confidence
Finding: openai>=1.0.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: # API模式（推荐，功能更强大） openai>=1.0.0 anthropic>=0.18.0 # 本地模式（可选，无需API但需要下载模型） torch>=2.0.0
Confidence: 94% confidence
Finding: anthropic>=0.18.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: anthropic>=0.18.0 # 本地模式（可选，无需API但需要下载模型） torch>=2.0.0 transformers>=4.30.0
Confidence: 97% confidence
Finding: torch>=2.0.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: # 本地模式（可选，无需API但需要下载模型） torch>=2.0.0 transformers>=4.30.0
Confidence: 97% confidence
Finding: transformers>=4.30.0

Known Vulnerable Dependency: Pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical

Category: Supply Chain
Confidence: 83% confidence
Finding: Pillow

Known Vulnerable Dependency: anthropic — 2 advisory(ies): CVE-2026-34450 (Claude SDK for Python has Insecure Default File Permissions in Local Filesystem ); CVE-2026-34452 (Claude SDK for Python: Memory Tool Path Validation Race Condition Allows Sandbox)

Low

Category: Supply Chain
Confidence: 68% confidence
Finding: anthropic

Known Vulnerable Dependency: torch — 10 advisory(ies): CVE-2025-2953 (PyTorch susceptible to local Denial of Service); CVE-2022-45907 (PyTorch vulnerable to arbitrary code execution); CVE-2025-32434 (PyTorch: `torch.load` with `weights_only=True` leads to remote code execution) +7 more

Critical

Category: Supply Chain
Confidence: 90% confidence
Finding: torch

Known Vulnerable Dependency: transformers — 10 advisory(ies): CVE-2023-2800 (transformers has Insecure Temporary File); CVE-2025-3933 (Transformers is vulnerable to ReDoS attack through its DonutProcessor class); CVE-2024-3568 (Transformers Deserialization of Untrusted Data vulnerability) +7 more

Critical

Category: Supply Chain
Confidence: 90% confidence
Finding: transformers

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal