Volcseed

Security checks across malware telemetry and agentic risk

Overview

This is a small, disclosed image-editing helper that uses configured credentials only for user-run submit and fetch commands.

Install only if you trust the configured Tianshu/Volcseed proxy endpoints. Treat TS_TOKEN and AIZNT_PROXY_URLS as secrets, avoid sharing logs or command examples that contain them, and do not submit private image URLs or sensitive prompts unless you intend to send them to that service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 78% confidence
Finding: The documentation instructs users to sync credentials and use proxy/API configuration but provides no caution about handling TS_TOKEN or AIZNT_PROXY_URLS as sensitive material. In practice, missing warnings can lead operators to paste tokens into logs, examples, issue reports, or misconfigured JSON, increasing the risk of credential exposure and misuse of the external image-editing service.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal