Gemini Image Remix

Security checks across malware telemetry and agentic risk

Overview

The skill behaves like a Gemini image-generation/remix tool; its main risk is that prompts and chosen input images are sent to Google Gemini for processing.

Install only if you are comfortable sending selected prompts and images to Gemini. Do not use confidential, personal, or proprietary images unless your Gemini account and data-handling terms are acceptable, and keep the GEMINI_API_KEY scoped and revocable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs users to send prompts and one or more local images to Gemini for generation/remixing but does not warn that this data is transmitted to a third-party remote API for processing. This can cause users to upload sensitive images, proprietary content, or confidential text without informed consent, especially because the skill supports multi-image composition and editing of local files.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal