Security audit

妙言小智 (PicTech.cc) 专业级跨境电商图片抠图/白底图工具

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do background removal as advertised, but it needs review because its documentation encourages unsafe API-key handling and does not clearly warn users that selected images are uploaded to a cloud service.

Install only if you are comfortable sending the images you select, including batch folder contents, to PicTech/stableai for processing. Configure the VK/API key through platform configuration or an environment variable rather than pasting it into chat, and rotate the key if it has already appeared in prompts or logs. Treat the README's permanent key-memory claim as unsupported and review/delete local output and cache files when processing sensitive images.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill explicitly references use of an environment variable (`RMBG_VK`) and instructs callers to pass API credentials, but the metadata shown does not declare corresponding permissions or clearly surface that sensitive configuration is accessed. This creates a transparency and governance gap: users and platform controls may not realize the skill consumes secrets from the environment, increasing the risk of unintended secret use or mishandling.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The README explicitly tells users to paste their API key (VK) directly into a chat prompt, which exposes the credential to the agent runtime, chat logs, screenshots, prompt history, and any downstream integrations that store conversations. In the context of an agent skill, this is more dangerous than ordinary CLI documentation because conversational interfaces often retain and replay user inputs, increasing the chance of credential leakage and unintended reuse.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README describes 'silent authorization' where the API key is automatically stored locally for future use, but it does not clearly disclose storage protections, file permissions, rotation, deletion, or the risk of other local users/processes accessing the secret. Normalizing undisclosed credential persistence increases the chance of long-lived secret exposure and weakens informed user consent.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill directs users to submit local image paths, folders, and image URLs to a third-party service (`stableai.com.cn` / `pictech.cc`) for processing, but it does not provide a clear upfront warning that user files and URLs will leave the local environment. This is dangerous because users may unknowingly transmit sensitive product images, personal photos, directory contents, or proprietary assets to an external processor, creating privacy, confidentiality, and compliance risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The code uploads user-provided image data to a third-party remote API using the X-Skill-VK credential, but this file shows no explicit consent flow, warning, or disclosure to the user that local files and URLs will be transmitted off-device. Because images may contain sensitive personal, commercial, or embedded metadata, silent exfiltration to an external service is a real privacy and data-handling risk, especially in a skill that accepts arbitrary local paths and batch directories.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The manifest explicitly states that the skill can process local files, network images, and save outputs to disk, but it does not clearly warn users that local image contents may be transmitted to an external service and that files/directories will be created or modified on the local filesystem. In an image-processing skill, this omission can cause users to expose sensitive images or unintentionally permit filesystem side effects without informed consent.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The skill requests an API key in configuration but provides no warning about treating it as a secret, where it will be stored, or whether it may be sent to third-party endpoints. This increases the risk of accidental credential exposure through insecure storage, logs, screenshots, or misuse by users who do not understand the sensitivity of the key.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The README not only asks the user to provide an API key in chat, but also pairs that with a design that remembers the credential for future use, encouraging users to treat conversational input as a secret channel when it is typically not one. In an AI agent context, this materially raises the exposure surface because secrets may be captured in transcripts, memory systems, telemetry, or reused across sessions.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The credential-memory section endorses automatic local retention and reuse of the user's API key by the agent, which can lead to unauthorized access if the local machine, profile, or agent environment is shared or compromised. The skill context makes this more dangerous because the feature is presented as frictionless convenience, potentially discouraging users from evaluating the security implications of persistent agent-held credentials.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal