Back to skill

Security audit

Turn photos, memories, and event details into polished custom invitation posters.

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only poster-generation skill that clearly uses Mew.design APIs and user-provided photos/API keys, with no hidden code or persistence found.

Install only if you are comfortable sending selected photos, event details, and a revocable Mew.design API key to external services. Prefer public image URLs you control, and only approve temporary third-party uploads for images you are willing to share externally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The install-intent examples are broad enough that ordinary requests like 'help me install this skill' could trigger installation behavior without a strong, explicit user confirmation tied to this specific skill. In an agent ecosystem, ambiguous install triggers increase the risk of social-engineering-driven skill installation and unintended execution of third-party instructions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SKILL.md:244