Back to skill

Security audit

Byted Las Image Resample

Security checks across malware telemetry and agentic risk

Overview

This image-resizing skill is mostly coherent, but its setup automatically downloads and installs a remote SDK without a clear user approval or integrity check.

Review before installing. Use least-privilege Volcengine credentials, avoid sensitive images unless you accept remote processing by Volcengine LAS, and do not run the setup script unless you accept that it may download and install a remote SDK without hash or signature verification.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill invokes shell commands extensively (`source`, `identify`, `lasutil`, `jq`, helper scripts) but does not declare shell permissions. This creates a capability transparency problem: the runtime may execute local commands, access local files, and interact with external services without an explicit permission contract, increasing the chance of unsafe execution and reducing user/operator visibility.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior goes beyond image resampling and includes contacting remote update endpoints, installing or upgrading software from a remote URL, creating environments, and running initialization scripts. This is dangerous because it introduces a software supply-chain and remote code execution surface that users would not reasonably expect from an image-processing skill, especially when the update/install path is triggered automatically before task execution.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The init script fetches a remote manifest and conditionally installs software from the network during environment setup, which exceeds the stated image-resampling functionality of the skill. This creates a supply-chain and integrity risk because execution behavior depends on mutable remote content and network state, even before the user performs any image operation.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script implements a network-based self-update flow by comparing local and remote versions and then upgrading from a remote wheel URL. For an image-resizing skill, this is unnecessary and dangerous because compromise of the hosting location, DNS, TLS trust, or publishing process could lead to arbitrary code execution in the user's environment.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation instructs users to send image content and an API key to a remote Volcengine endpoint but does not warn that user-provided images will leave the local environment or discuss privacy, retention, or handling of potentially sensitive images. In an agent skill context, this can cause unintended exfiltration of confidential images or credentials because users may assume a local-only resize operation.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script performs a silent package installation from a remote URL without prior warning or confirmation, which can unexpectedly modify the user's environment and execute untrusted package install logic. Because pip installation runs package metadata/build/install steps, this can become a direct code execution vector if the artifact or distribution channel is compromised.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.