Back to skill

Security audit

image-gen

Security checks across malware telemetry and agentic risk

Overview

This image-generation skill is mostly coherent, but its heartbeat guidance encourages public sharing, avatar changes, and memory persistence without clear user approval boundaries.

Install only if you are comfortable sending prompts and edited source images to SkillBoss API Hub with your SKILLBOSS_API_KEY. Treat any social posting, profile/avatar update, or memory-saving step as requiring explicit user confirmation of the exact image, destination account, and retained content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares required binaries and environment variables but does not declare explicit permissions despite clearly describing capabilities that use network access, environment secrets, and local file read/write for image editing and output generation. This creates a transparency and policy-enforcement gap: users or orchestration systems may approve the skill without understanding that it can access API keys, contact external services, read input images, and write generated files.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The heartbeat instructions expand the skill from image generation into actions that can affect external systems and user identity, including social posting, avatar changes, and memory persistence. That creates scope creep: an agent using this guidance could perform outward-facing or state-changing actions without explicit per-action authorization, increasing the risk of unintended disclosure, reputational harm, or persistent storage of sensitive content.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
Describing the skill as a mechanism for self-expression and avatar updates encourages use beyond its declared purpose of generating and editing images. In an agent environment, this kind of framing can nudge autonomous behavior into profile modification or identity-affecting actions that are more sensitive than simple content generation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The markdown explicitly suggests posting generated content to social platforms and updating a profile avatar, but provides no warning about external sharing, consent, account-impacting changes, or approval requirements. In context, this makes the skill more dangerous because it normalizes publication and profile modification as routine heartbeat behavior rather than exceptional actions requiring user intent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The edit flow base64-encodes a user-supplied local image and sends it to a remote API for processing, but the CLI does not provide an explicit warning or consent prompt at the point of use. This creates a privacy and data-handling risk because users may not realize local file contents are being uploaded off-host, especially when editing sensitive images.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.