NK Images Search

Security checks across malware telemetry and agentic risk

Overview

This is a coherent NK Images search and image-generation skill that uses NK Images APIs as expected and shows no hidden local access, persistence, or destructive behavior.

Install only if you are comfortable sending image searches, generation prompts, feedback descriptions, and optional email addresses to NK Images. Avoid confidential client data, sensitive personal details, or private prompts unless you intend to share them with that service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The skill gives contradictory instructions about image URLs: earlier it says view/download URLs must be copied exactly from API responses and never constructed, but later instructs building `https://nkimages.com/photo/{id}` from IDs. This inconsistency can cause the agent to fabricate links, produce broken or misleading output, and violate the API's own safety/integrity constraints.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The feedback flow sends user-provided query text, issue descriptions, and optionally email to NK Images, but the instructions do not require a clear disclosure at the point of collection. That creates a privacy/transparency issue because users may not realize their content and contact information are being transmitted to a third party.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal