Back to skill

Security audit

Byted Mediakit Image

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward MediaKit CLI wrapper for cloud image processing, with some privacy caveats users should understand before sending images to the service.

Install only if you trust MediaKit CLI and are comfortable configuring a MediaKit API key. Treat submitted images as cloud-processed data: avoid private, regulated, confidential, or sensitive images unless you are authorized and understand the provider’s handling and retention terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description says it should trigger whenever the user needs MediaKit CLI image-domain capabilities, which is a broad activation rule without explicit scoping, confirmation requirements, or task boundaries. In a shell-permitted skill, overbroad triggering can cause the agent to invoke external image-processing operations unexpectedly on user-supplied inputs or sensitive files, increasing the chance of unintended command execution paths, privacy exposure, or unsafe automation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly states the capability is cloud-only and requires an image URL, but it does not warn users that image content will be sent to a remote service for processing. This can lead to unintended disclosure of sensitive or regulated image data, especially if users assume local/private handling from a generic 'image enhancement' capability.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly states the operation is 'cloud only' and requires a public image URL, but it does not warn users that their images will be transmitted to and processed by a remote service. This can lead to unintended disclosure of sensitive image content or metadata, especially if users assume processing is local or private.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The documentation describes a cloud-only image quality evaluation capability that requires a publicly accessible image URL, but it does not explicitly warn users that the remote service will fetch and process the image content. This can lead to unintentional disclosure of sensitive image data or metadata if users assume processing is local or do not appreciate that third-party/cloud handling occurs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document explicitly describes a cloud-only OCR operation that sends a user-supplied image URL to an external service, but it does not warn users about third-party processing, data exposure, retention, or privacy implications. Because OCR inputs often contain sensitive personal or business information, this omission can lead to unintended disclosure when users invoke the skill under the assumption that processing is local or private.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.