Security audit

Bg Remove

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward image background-removal tool, with a minor transparency caveat that its AI model may download on first use.

Install only if you are comfortable with Python dependencies and a possible first-run model download. Use explicit input and output paths, avoid --force unless you intend to overwrite files, and preload models if you need offline or tightly controlled network behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 95% confidence
Finding: The documentation states that the first use will automatically download model files, but it does not clearly warn users up front that invoking the skill may trigger a network request and transfer data such as IP address and environment metadata to external model hosts. This is primarily a transparency and privacy issue rather than direct code execution, but it can still violate user expectations in restricted, offline, or privacy-sensitive environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.