Back to skill

Security audit

Ai Image Generation

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward guide for using the inference.sh CLI to generate images, with normal third-party service and installer risks but no hidden or destructive behavior in the artifact.

Install only if you trust inference.sh and are comfortable using its CLI. Prefer manual install or checksum verification before running the installer, log in with the intended account, and avoid submitting confidential prompts, private images, secrets, internal URLs, or regulated data unless you accept the provider's data handling and any quota or billing impact.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list includes broad, common phrases such as 'image generation', 'generate image', and 'ai art', which can cause the skill to activate in contexts where the user did not explicitly intend to invoke this specific external-service-backed tool. Because the skill can lead to installation and use of a third-party CLI, accidental activation increases the risk of unintended external data disclosure and unnecessary command execution guidance.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill encourages users to submit prompts and image URLs to inference.sh-hosted apps without clearly warning that this data is transmitted to external services and model providers. In practice, users may include sensitive prompts, private image URLs, or proprietary material, and the absence of a prominent disclosure undermines informed consent and increases the chance of unintended data exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.