Back to skill

Security audit

Text To Elegant Image

Security checks across malware telemetry and agentic risk

Overview

This image-export skill appears purpose-aligned, but it automatically installs dependencies and runs unsandboxed browser rendering in ways users should review first.

Install only if you are comfortable with it running a setup script that may perform npm install, writing PNG outputs locally, and launching headless Chrome. Avoid rendering remote URLs or untrusted HTML with this skill, and do not let it modify ~/.bashrc unless you explicitly want a persistent output-directory setting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to persist configuration by appending an export line to ~/.bashrc, which changes the user's shell startup behavior outside the immediate task of generating an image. Even though the payload is not overtly malicious, instructing persistent modification of user environment configuration is unnecessary for a formatting skill and creates an avoidable persistence surface.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script accepts arbitrary HTTP(S) URLs and loads them in a headless browser, which expands a local text/HTML export utility into a network-capable web fetcher. This can expose the runtime to SSRF-style access to internal services, unexpected external requests, and rendering of untrusted remote content inside Chromium.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Launching Chromium with --no-sandbox and --disable-setuid-sandbox removes an important security boundary while rendering attacker-controlled HTML or remote pages. If malicious content triggers a browser exploit, the compromise can more directly affect the host process or container because the browser sandbox is intentionally disabled.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger phrases are broad and include common language such as '做海报' and 'export as image', which can cause unintended activation in conversations where the user did not clearly intend to run this skill. Because the skill can write files and run shell/node commands, accidental invocation increases the chance of unreviewed filesystem changes and dependency actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs automatic execution of a setup script and silent npm installation of puppeteer-core without a clear user-facing warning or consent step. Auto-installing packages and running shell scripts expands the attack surface and can lead to unanticipated code execution or environment changes, especially if the repository contents are tampered with.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script automatically runs `npm install` when `puppeteer-core` is missing, which performs a network fetch and writes dependencies into the workspace without an explicit consent gate. This can introduce supply-chain risk, unexpected code execution via npm lifecycle scripts, and non-deterministic environment changes during setup, especially in automated or privileged environments.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"description": "Puppeteer script runner for MD to Long Image skill",
  "main": "scripts/export_image.js",
  "dependencies": {
    "puppeteer-core": "^22.0.0"
  }
}
Confidence
91% confidence
Finding
"puppeteer-core": "^22.0.0"

YARA rule 'backdoor_persistence': Backdoor persistence with malicious payloads (shell commands, SSH key injection, hidden root users) [malware]

High
Category
YARA Match
Content
- `export_image.js` 第三个参数可指定宽度(默认 600px),2x deviceScaleFactor 保证高清输出
- 不引用外部图片,图标用纯 CSS 形状代替,避免网络加载失败
- 输出路径:`<输出目录>/<文件名>.png`(输出目录默认 `./output`,可用 `T2EI_OUTPUT_DIR` 环境变量配置,见 Step 4)
Confidence
90% confidence
Finding
echo 'export T2EI_OUTPUT_DIR="$HOME/my-images"' >> ~/.bashrc

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/export_image.js:52