Security audit

ImageFlare

Security checks across malware telemetry and agentic risk

Overview

ImageFlare is a coherent Cloudflare Workers AI image-generation skill with expected external processing and credential setup considerations.

Before installing, verify that the pip package imageflare is the package you intend to trust, use a Cloudflare token limited to Workers AI, avoid putting tokens in shell history when possible, protect the local config file, and do not submit confidential prompts or sensitive images unless you are comfortable with Cloudflare processing them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill documentation does not clearly warn users that their prompts and uploaded images are sent to Cloudflare Workers AI for remote processing. In an image-generation/editing skill, that omission matters because users may submit sensitive photos or confidential text prompts without realizing data leaves the local machine and is handled by a third party.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The documentation shows `imageflare config set --account-id YOUR_ID --api-token YOUR_TOKEN`, which encourages passing secrets directly on the command line. API tokens provided this way can be exposed via shell history, process inspection tools, logging, terminal recordings, or CI job output, increasing the chance of credential theft and unauthorized use of the Cloudflare account.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal