VPick AI Image Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed VPick image-generation connector whose main risks are normal service risks: sending prompts/images externally, using an auth-bearing MCP link, storing outputs in the cloud, and spending account credits.

Install only if you trust VPick and its downstream providers with your prompts and reference images. Keep the MCP Connector URL private, avoid uploading sensitive or confidential images unless that data sharing is acceptable, and watch credit usage when running batch, fast, or high-resolution generations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill description uses very broad invocation phrases such as 'generate image', 'create an image', and 'AI image', which can cause the skill to be selected in many loosely related contexts. Over-broad routing increases the chance the agent invokes an external third-party image generation workflow unexpectedly, sending user prompts and possibly image references to VPick and downstream providers when a narrower or local capability might have been more appropriate.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal