Back to skill

Security audit

Kay Image

Security checks across malware telemetry and agentic risk

Overview

This is a user-directed image generation and media understanding skill that uses external AI APIs as expected, with documentation gaps around provider choices and uploads.

Install only if you are comfortable sending prompts and selected images or videos to KIE AI, or to LaoZhang when --use-laozhang is used. Configure only the API keys you intend to use, avoid sensitive media unless allowed by your privacy or compliance requirements, and note that the manifest understates the optional understanding credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
技能声明自己基于 KIE AI API 且需要 KIE_API_KEY,但行为还包括可切换到 LaoZhang API、单独任务查询/轮询,以及理解功能依赖其他凭证。这种描述-行为不一致会误导用户和审计者,导致用户在不了解真实数据流、外部服务和凭证需求的情况下发送图片、视频和提示词到额外第三方服务。

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill metadata describes the tool as based on the KIE AI API, but the code also supports sending understanding requests to a different third-party service, LaoZhang, via `--use-laozhang`. This is a supply-chain and transparency issue because users may disclose prompts, images, videos, and API credentials under the assumption that only KIE is involved, while the tool can route data to another provider.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The manifest states only `KIE_API_KEY` is required, but the code also consumes `KIE_UNDERSTANDING_API_KEY` and `LAOZHANG_API_KEY` for other modes. Incomplete credential disclosure can cause unsafe deployment practices, accidental secret exposure, and user misunderstanding about which accounts and providers the skill can access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
该技能处理图片、视频和文本提示词,但说明中未明确警告这些内容会被发送到外部 API 服务处理。对于可能包含敏感图像、文档、OCR 内容或视频资料的场景,这会造成用户在缺乏知情同意的情况下将数据传输给第三方,带来隐私、合规和数据治理风险。

Missing User Warnings

Medium
Confidence
95% confidence
Finding
In understanding mode, local image and video files are read, base64-encoded, and sent to external APIs without an explicit warning at the point of use. This can expose sensitive local content to third parties, especially because the tool accepts filesystem paths and silently uploads the file contents as data URLs.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/main.ts:20

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/main.ts:574