Visual References

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Pexels reference-image downloader, with expected API-key, network, and temporary file-writing behavior disclosed.

Install only if you are comfortable providing a Pexels API key and letting the skill download reference images into /tmp/visual-refs. Keep the default output path or use a dedicated empty folder, because custom output folders may have ref_* files removed during cleanup. Ask the agent to show references first when you want to choose which images influence generation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script deletes all files matching ref_* and refs_meta.json in the user-supplied output directory before each run, without confirmation or strong path safety checks. If a user points --output at an important directory, the cleanup can silently remove existing files, causing data loss beyond the current invocation's generated artifacts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal