Back to skill

Security audit

NK Images Search

Security checks across malware telemetry and agentic risk

Overview

This skill coherently searches and generates images through NK Images APIs, with no hidden local access, persistence, or destructive behavior found.

Install this only if you are comfortable sending image searches, generation prompts, and any feedback details to NK Images. Avoid confidential client data, sensitive personal information, or private prompts unless you intend to share them with that service; verify image links if correctness matters because one result-format section conflicts with the stronger instruction to use API-provided URLs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill first instructs the agent to use API-returned URLs exactly as provided, but later tells it to construct result page links as `https://nkimages.com/photo/{id}`. That inconsistency can cause the agent to fabricate links, misdirect users, or present invalid destinations, which is a security and integrity risk when link correctness is explicitly important.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to send user search queries to an external third-party API and to include a tracking parameter, but it does not require clear user-facing notice or consent. Queries and image-generation prompts can contain sensitive personal, business, or regulated information, so silent transmission creates a privacy risk and unnecessary data disclosure to the external service.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The feedback flow sends user-provided descriptions, queries, generation IDs, and optional email addresses to a third-party endpoint, but the skill lacks a clear upfront disclosure of that transfer. Even though it says not to auto-submit without consent, users are not adequately informed about what data leaves the system, creating privacy and compliance risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.