Security audit

Gemini Image Generator

Security checks across malware telemetry and agentic risk

Overview

This is a coherent image-generation skill, but users should treat its API endpoint and shared .env loading as privacy-sensitive.

Install only if you trust the publisher, Python dependencies, and the configured API provider. Use a dedicated Gemini key, prefer a skill-local .env with only GEMINI_* values, avoid placing unrelated secrets in /workspace/.env or ~/.openclaw/.env, and do not submit private images or sensitive prompts to untrusted custom endpoints.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The activation description is very broad and can trigger on generic image-related requests, causing the agent to invoke this skill when the user may not have intended external API use or file-processing behavior. In context, this matters because the skill can send prompts and images to a remote endpoint and use local files, so over-invocation increases privacy and data-exposure risk.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The documentation instructs users to send prompts, images, and API keys to third-party proxies or custom endpoints, but it does not prominently warn that this transfers sensitive content and credentials outside the local environment. In the context of an image-generation skill that may process private user images and supports arbitrary provider base URLs, this omission increases the risk of credential exposure, unintended data sharing, and use of untrusted intermediaries.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The documentation describes downloading remote image URLs and saving them locally without clearly warning about the security implications of network retrieval and file writes. In this skill context, remote image downloads from provider-controlled or proxy-controlled URLs can expose users to untrusted content, unexpected outbound requests, large-file/resource abuse, and unsafe local persistence if not validated and bounded.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill sends user prompts and optional input images to a user-configurable third-party endpoint, but the description does not clearly warn that potentially sensitive user content will leave the local environment. In an image-editing skill, users may upload private photos or confidential imagery, so the missing disclosure materially increases privacy and data-handling risk.

Credential Access

High

Category: Privilege Escalation
Content: env_paths: list[Path] = [] loaded_paths: list[Path] = [] # 1. 沙箱环境 /workspace/.env sandbox_env = Path("/workspace/.env") if sandbox_env.exists(): env_paths.append(sandbox_env)
Confidence: 81% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: loaded_paths: list[Path] = [] # 1. 沙箱环境 /workspace/.env sandbox_env = Path("/workspace/.env") if sandbox_env.exists(): env_paths.append(sandbox_env)
Confidence: 80% confidence
Finding: .env"

Credential Access

High

Category: Privilege Escalation
Content: if sandbox_env.exists(): env_paths.append(sandbox_env) # 2. 全局配置 ~/.openclaw/.env home = Path.home() global_env = home / ".openclaw" / ".env" if global_env.exists():
Confidence: 79% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: # 2. 全局配置 ~/.openclaw/.env home = Path.home() global_env = home / ".openclaw" / ".env" if global_env.exists(): env_paths.append(global_env)
Confidence: 79% confidence
Finding: .env"

Credential Access

High

Category: Privilege Escalation
Content: return loaded_paths # 在模块导入时立即加载 .env 文件（非 verbose 模式） _loaded_env_files = load_env_files(verbose=False) MAX_RETRIES = 3
Confidence: 82% confidence
Finding: .env

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal