Openai Image Gen

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it uses an OpenAI API key to generate images and saves a local gallery, with no evidence of hidden persistence, destructive behavior, or unrelated data access.

Install only if you are comfortable sending image prompts and generation parameters to the configured OpenAI-compatible endpoint using your API key. Prefer OPENAI_API_KEY over the --api-key flag, confirm OPENAI_BASE_URL and OPENAI_API_BASE are unset or trusted, expect possible API billing, and avoid opening generated galleries from untrusted prompt text because prompts are inserted into index.html without escaping.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The setup and run instructions note that an API key is needed, but they do not clearly warn that user-supplied prompts will be transmitted to a third-party remote API using that credential. This matters because prompts may contain sensitive or proprietary content, and users may assume a local-only image generation workflow from the brief description and examples.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal