Back to skill

Security audit

Coze Image

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Coze image-generation skill with expected external API use, but users should protect their API token and be cautious with optional local downloads.

Install only if you are comfortable sending image prompts to Coze. Store the Coze API token outside committed source when possible, do not share the configured script, and use the -o save option only with an explicit safe output path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Tainted flow: 'image_url' from requests.post (line 70, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
print(f"Downloading to: {save_path}")
            # Handle redirect URLs
            try:
                img_response = requests.get(image_url, timeout=60, allow_redirects=True)
                if img_response.status_code == 200:
                    os.makedirs(os.path.dirname(save_path) or ".", exist_ok=True)
                    with open(save_path, "wb") as f:
Confidence
93% confidence
Finding
img_response = requests.get(image_url, timeout=60, allow_redirects=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill clearly instructs use of a Python script that calls an external Coze API, but the manifest declares no corresponding permissions. Hidden or undeclared network capability reduces transparency and prevents users or hosting systems from making informed trust decisions about outbound data flow. In this context, prompts and possibly generated content metadata may be transmitted externally.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The manifest presents the skill as a text-to-image generator, but the implementation also writes downloaded content to an arbitrary local path supplied by the caller. This expands the tool's capability from generation to filesystem write access, which can be abused to overwrite files in accessible directories or plant untrusted content on disk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README tells users to hardcode a Coze API token directly into source code, which materially increases the chance that credentials will be committed to version control, shared in screenshots, or left in redistributed packages. While this is documentation rather than executable code, it promotes an unsafe secret-handling practice that can lead to unauthorized API access if the token is exposed.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger phrases are broad generic requests for image generation, making accidental or overly eager invocation plausible. Because invoking the skill can send user prompts to an external API, unintended activation can lead to unnecessary third-party data transmission and user confusion about which tool handled the request.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The phrase indicating activation on 'similar requests' leaves the boundary undefined, which can cause inconsistent or unintended triggering. In a skill that performs outbound API calls, ambiguity increases the risk of forwarding prompts externally without clear user intent or consent.

External Transmission

Medium
Category
Data Exfiltration
Content
CONFIG = {
    "api_token": "YOUR_COZE_API_TOKEN",    # Coze API Token
    "workflow_id": "YOUR_WORKFLOW_ID",     # 图片生成工作流 ID
    "api_url": "https://api.coze.cn/v1/workflow/run"
}
```
Confidence
86% confidence
Finding
https://api.coze.cn/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.