Product Photography

Security checks across malware telemetry and agentic risk

Overview

This is a focused product-photography prompt guide for an external image-generation CLI, with a disclosed installer trust consideration but no artifact-backed malicious behavior.

Install only if you trust inference.sh. Prefer the manual checksum-verified install path over piping a remote script into a shell, understand that `infsh login` may store a provider session locally, and avoid sending confidential product plans or sensitive customer data in prompts unless the provider’s terms are acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill instructs users to pipe a remotely fetched script directly into `sh`, which executes whatever content is served at that URL at install time. Although the note mentions checksum verification by the installer, that does not remove the trust boundary problem: a compromised host, malicious update, MITM in some environments, or unexpected script change could lead to arbitrary code execution on the user's machine.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal