Image Process

Security checks across malware telemetry and agentic risk

Overview

This image-processing skill appears coherent and purpose-aligned, with normal caution for private photos and output file paths.

Install only if you are comfortable using npm image-processing dependencies. Use it on image files you control, avoid highly sensitive personal photos unless you trust the background-removal dependency, and choose output paths carefully to avoid overwriting important files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The skill description and invocation guidance are broad enough that an agent could trigger this skill for loosely related user requests involving images without strong preconditions or safety boundaries. Over-broad routing can cause unintended file processing, surprising side effects, or invocation on attacker-influenced inputs, especially because the skill performs filesystem-oriented operations on user-supplied paths.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code sends user-supplied image content into a third-party background-removal component without any disclosure, consent flow, or indication of whether processing is purely local or may involve remote/model downloads or external transfer. In an image-processing skill, users may reasonably expect local handling of potentially sensitive photos, so undisclosed third-party processing creates a real privacy and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal