HTML to Image

Security checks across malware telemetry and agentic risk

Overview

This appears to be a disclosed OOMOL connector skill for HTML-to-image conversion, with a conditional CLI installer caution but no evidence of hidden or malicious behavior.

Install if you are comfortable routing HTML-to-image jobs through OOMOL. If the oo CLI is not already installed, review the installer source and trust boundary before running the suggested curl-to-bash setup command.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The description says to use this skill for "ANY HTML to Image request" and "Whenever a task involves HTML to Image," which is very broad and does not define clear boundaries or exclusions. In a markdown skill description, this can overlap with many generic tasks involving screenshots or image generation and may lead to unintended activation.

External Script Fetching

High

Category: Supply Chain
Content: - **`oo: command not found`** — install the oo CLI (other platforms: <https://cli.oomol.com/install-guide.md>): ```bash curl -fsSL https://cli.oomol.com/install.sh | bash # macOS / Linux ``` ```powershell
Confidence: 90% confidence
Finding: curl -fsSL https://cli.oomol.com/install.sh | bash

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal