Back to skill

Security audit

p-image-edit

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Pruna image-editing skill that sends user-selected images and prompts to Pruna’s API, which is expected for its purpose and not hidden.

Install only if you are comfortable sending selected reference images, prompts, and related job data to Pruna’s API using your Pruna API key. Do not use private, sensitive, or regulated media unless that matches your organization’s policy and Pruna’s terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs users to upload local image files and send prompts to an external API using an API key, but it does not explicitly warn that user-provided images and metadata leave the local environment. In an agent setting, this can lead to unintentional disclosure of sensitive images, prompts, or identifiers to a third-party service without adequate user awareness or consent.

External Transmission

Medium
Category
Data Exfiltration
Content
## Prerequisites

Upload each reference to `POST https://api.pruna.ai/v1/files` (multipart `content=@file`). Use each file’s `urls.get` value in `input.images`.

## Required input
Confidence
90% confidence
Finding
https://api.pruna.ai/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.