Back to skill

Security audit

Ecdysales

Security checks across malware telemetry and agentic risk

Overview

This is a local product-photo processor whose shell use, setup helper, and image-folder behavior are disclosed and aligned with its purpose.

Install this only if you want a shell-based local image processor. Keep the incoming image folder scoped to photos you intend to process, review outputs in the `output/` directory, and run `setup.sh --install` only if you are comfortable with package-manager changes on that machine.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill invokes shell-capable tooling (`scripts/run.sh`) and declares executable binaries, but does not declare corresponding permissions or clearly constrain filesystem/shell access. This creates a capability transparency gap: the agent may execute local commands and process files beyond what a user would expect from the metadata, increasing the risk of unintended command execution or unauthorized local file access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill is presented as a minimal image-sticker tool operating on a user-provided attachment, but the described behavior includes auto-selecting the latest local image, batch processing, reading local config files, JSON/pipeline integration, and setup/install actions. This mismatch is dangerous because it hides broader local filesystem and execution behaviors behind a narrowly described purpose, which can cause the agent to access or manipulate unintended local data without clear user consent.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Defaulting to `ECDYSALES_MEDIA_DIR` or `~/Pictures/incoming` allows the skill to access local user files beyond the explicitly supplied image input, which exceeds the stated minimal-context image-processing purpose. In an agent context, `--latest` can cause the tool to scan and process unintended personal images from the user's home directory, creating a privacy and unauthorized file-access risk.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The setup script can modify the host system by installing packages with elevated privileges, which exceeds the stated lightweight image-processing behavior and increases the trust required to run it. Even though this is framed as optional setup functionality, it creates system-level side effects that are risky in an agent-skill context where users may expect limited file processing only.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Invoking system package managers and sudo introduces privileged host modification capability unrelated to the narrow operational goal of adding stickers and watermarks to images. In an agent setting, this broadens the attack surface and could be abused or unexpectedly triggered to change the environment beyond what users intended.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The documented agent trigger condition is very broad: any attached image plus a `$price:` token can cause the skill to run automatically. In an agent environment, this can lead to unintended processing of unrelated or sensitive images, especially if a user mentions prices in ordinary conversation or an attacker crafts prompts to force activation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script offers automatic package installation but does not provide a strong upfront warning that it will perform privileged system changes on the host. Lack of prominent disclosure increases the chance that a user or calling agent treats setup as harmless verification when it can actually install software and alter system state.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.