Ai Image Generation

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward AI image generation guide for inference.sh, with expected external service and setup risks but no hidden or destructive behavior in the artifact.

Install only if you trust inference.sh and are comfortable using its CLI. Prefer manual install or checksum verification before running the installer, log in with the intended account, and avoid submitting confidential prompts, private images, secrets, internal URLs, or regulated data unless you accept the provider data handling and any account quota or billing impact.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger list is unusually broad and includes many generic image- and AI-related phrases, which can cause the skill to be invoked in contexts where the user did not specifically intend to use this third-party image-generation workflow. That increases the chance of accidental activation and unintended transmission of prompts or image data to external services.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill encourages users to submit prompts and image URLs to inference.sh-backed apps but does not clearly disclose that this data is sent to external third-party services. Users may unknowingly expose sensitive prompts, proprietary images, or internal URLs to remote providers, creating confidentiality and privacy risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal