Youtube Thumbnail Design

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent YouTube thumbnail design helper that uses a disclosed third-party image-generation CLI, with normal installer and account-use cautions but no hidden harmful behavior.

Install only if you trust inference.sh. Prefer reviewing the installer or using the manual checksum-verification path, expect prompts and generated-image requests to go to external providers, and avoid sending confidential images or private details unless you are comfortable with that service handling them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill declares broad Bash access and then relies on shell commands to install and run third-party software, which exceeds what a purely advisory design skill should need. This increases the blast radius if the skill is invoked in an automated environment, because shell execution can modify the host, fetch code, or run arbitrary commands beyond thumbnail generation.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The documentation instructs users to pipe a remotely fetched script directly into the shell without a strong safety warning or mandatory verification step. This is dangerous because any compromise of the download host, CDN, DNS, TLS termination, or release process could lead to arbitrary code execution on the user’s machine.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal