Ai Image To Code

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims, converting UI screenshots into code, with no evidence of hidden or harmful behavior.

Reasonable to install from a security perspective. Be aware that screenshots may be sent to a vision model for analysis, so avoid using it on confidential UI, credentials, private customer data, or unreleased designs unless that data handling is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The file defines a working test runner and then later redefines `_main` to call `_run_unit_tests()`, which is not defined in this file. This can break or subvert the documented execution path, causing tests to fail at runtime or preventing the intended checks from running, which weakens trust in the validation process and can let unsafe or noncompliant skill content slip through unnoticed.

VirusTotal

50/50 vendors flagged this skill as clean.

View on VirusTotal