uni-image

Security checks across malware telemetry and agentic risk

Overview

This image-generation skill has a coherent purpose, but the reviewed package is incomplete and asks users to rely on missing proxy code that would handle API keys and prompts.

Review before installing. Only proceed if you can inspect the missing proxy and injection scripts from a trusted source, restrict and protect any API keys, configure only providers you intend to use, and avoid submitting sensitive prompts or images unless you accept transmission to the selected provider.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation describes a multi-provider image generation proxy that sends prompts and image requests to Volcengine, Alibaba, and Google, but it does not clearly warn users that their prompts and related request data are transmitted to third-party APIs. This creates a privacy and consent risk because users may unknowingly submit sensitive text or image content to external providers with different retention and processing policies.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal