Security audit

design-assets

Security checks across malware telemetry and agentic risk

Overview

This appears to be a normal image-generation skill that uses an external SkillBoss API, with a privacy disclosure gap rather than evidence of malicious behavior.

Before installing, avoid putting secrets, unreleased business details, private personal data, or confidential brand concepts into image prompts unless you are comfortable sending them to SkillBoss's external service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs users to send image prompts to a third-party API but does not explicitly warn that prompt contents will leave the local environment. In an agent setting, prompts may contain sensitive project details, proprietary branding concepts, or personal data, so silent transmission creates a real privacy and data-governance risk even if the API use is intentional.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal