Multishot UGC

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do the advertised cloud image-generation job, but it under-explains third-party uploads and does not safely contain downloaded filenames.

Review before installing. Use only images you are comfortable sending to ComfyDeploy, avoid sensitive personal or proprietary content unless you accept that third-party processing, use a limited ComfyDeploy API key, and run it in a low-impact workspace until downloaded filenames are sanitized.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs users to provide a local file path or image URL and describes sending that image to a third-party API, but it does not clearly warn that user-supplied images will leave the local environment. Images may contain sensitive personal, commercial, or biometric information, so undisclosed external transmission creates a meaningful privacy and compliance risk.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The script uploads a user-supplied local image to a third-party API without an explicit privacy or data-transmission warning at the point of use. In an agent-skill context, users may assume processing is local and unintentionally send sensitive images off-device, which creates privacy, compliance, and data-handling risk even if the vendor is legitimate.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal