hf-sdxl-image

Security checks across malware telemetry and agentic risk

Overview

This image-generation skill transparently uses Hugging Face to create images and does not show hidden, destructive, or unrelated behavior.

Install only if you are comfortable providing a Hugging Face token and sending image prompts to Hugging Face. Use the temporary output path for normal chat delivery, keep the token scoped to this use, and set HF_IMAGE_MODEL only to models you trust.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill uses sensitive capabilities (environment variable access and outbound network access) but does not declare permissions, which weakens reviewability and policy enforcement. In an agent ecosystem, undeclared capabilities make it harder for operators to understand that the skill can read secrets like HUGGINGFACE_TOKEN and contact external services, increasing the risk of unintended data exposure or unsafe execution.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented behavior promises a tightly scoped temporary-file workflow, but the actual described behavior allows model override via HF_IMAGE_MODEL and arbitrary output paths, while omitting guaranteed send/delete behavior. This mismatch can be exploited to persist generated files unexpectedly, route requests to unreviewed models/endpoints through configuration, and mislead reviewers or users about data handling and retention.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script allows HF_IMAGE_MODEL to override the manifest-declared model, so behavior is not actually constrained to stabilityai/stable-diffusion-xl-base-1.0. In an agent environment, this can silently redirect prompts and the bearer token to a different model endpoint or provider path than users and reviewers expect, weakening policy guarantees and increasing data-governance risk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script transmits the full user prompt plus an Authorization bearer token to Hugging Face's external API, which is inherent to the feature but still a real privacy and secret-handling concern. In the skill context, prompts may contain sensitive user data, and external transmission without clear disclosure or minimization increases the chance of unintended data exposure to third-party infrastructure.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal