Security audit

Vibesku

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its VibeSKU CLI purpose, but it should be reviewed because it recommends updating the installed skill from GitHub without a clear user approval step.

Install only if you are comfortable with a CLI that can access your VibeSKU account, upload chosen product assets to VibeSKU, download generated outputs, and consume or purchase credits through user-directed commands. Review upload and batch commands before running them, protect the config file and API keys, use only trusted base URLs, and require explicit approval before any skill update from GitHub or another upstream source.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Vague Triggers

Medium

Confidence: 73% confidence
Finding: The trigger list includes broad phrases such as product visuals, ecommerce images, hero banner, and listing copy, which can match many ordinary user requests that do not specifically intend to invoke this external-service skill. Over-broad activation increases the chance of unintended tool use, unnecessary data disclosure to a third party, and surprise charges or side effects.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation advertises asset upload and export/download behavior but does not clearly warn users that local files and prompts will be transmitted to a remote SaaS platform. In this context, the skill processes product photos and logos, which may be proprietary marketing assets, so silent transmission materially raises privacy and confidentiality risk.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The command reference explicitly states that local image and logo files are auto-uploaded during generation, but it does not warn users that these files will be transmitted to a remote VibeSKU service and may contain sensitive or proprietary product data. In a CLI context, users may assume processing is local unless told otherwise, increasing the risk of accidental disclosure of confidential assets, unreleased product imagery, or embedded metadata.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.