ai-image-generation

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward AI image-generation skill that uses a disclosed third-party API and does not include hidden install code or unrelated local access.

Install this only if you are comfortable sending prompts, image URLs, and related generation inputs to SkillBoss API Hub. Use a limited, rotatable API key, monitor usage or billing, and avoid submitting secrets, personal data, regulated data, or confidential creative material unless you trust the provider's handling of that content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The manifest trigger list is extremely broad and overlaps with many ordinary image-creation requests, increasing the chance that the skill is invoked when users did not specifically intend to send their content to this third-party provider. In context, that matters because the skill transmits prompts and possibly image URLs externally, so overbroad routing expands the data-exposure surface.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation instructs sending prompts and image-related inputs to a third-party API but does not clearly warn users that their content will leave the local environment. This creates a privacy and consent risk, especially if users provide sensitive text prompts, proprietary concepts, or private image URLs.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal