MasterPiece Clone

Security checks across malware telemetry and agentic risk

Overview

This is a coherent image style-transfer skill that sends user-provided image URLs to a third-party Pixify/ngmob API as part of its stated purpose.

Install only if you are comfortable sending the reference and target image URLs to the Pixify/ngmob service. Use a dedicated API key if possible, keep it out of logs and shared prompts, and avoid submitting sensitive or private photos unless you understand the provider's handling and retention policies.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (7)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: This markdown file documents sending user-provided image URLs to https://api.ngmob.com and using an API key for workflow execution. While the API usage is described, there is no explicit user-facing warning about data being transmitted to an external service or any privacy implications for the submitted images.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This manifest defines a POST request to a third-party endpoint and includes two user-supplied image URLs in the request body, but the description does not warn that user content will be transmitted off-platform. For manifest/markdown-style skill definitions, this is a privacy-relevant behavior that should be disclosed so users understand their data is being sent to an external service.

External Transmission

Medium

Category: Data Exfiltration
Content: "Image Input": "https://example.com/reference-style.png", "Image Input 1": "https://example.com/target-photo.png" } }' | curl -X POST https://api.ngmob.com/api/v1/workflows/Awtk0EnhqBGkoOExvseI/run \ -H "Authorization: Bearer $API_KEY" \ -H "Content-Type: application/json" \ -d @-
Confidence: 60% confidence
Finding: curl -X POST https://api.ngmob.com/api/v1/workflows/Awtk0EnhqBGkoOExvseI/run \ -H "Authorization: Bearer $API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: "Image Input": "https://example.com/reference-style.png", "Image Input 1": "https://example.com/target-photo.png" } }' | curl -X POST https://api.ngmob.com/api/v1/workflows/Awtk0EnhqBGkoOExvseI/run \ -H "Authorization: Bearer $API_KEY" \ -H "Content-Type: application/json" \ -d @-
Confidence: 50% confidence
Finding: https://api.ngmob.com/

External Transmission

Medium

Category: Data Exfiltration
Content: Use the returned `task_id` to query task status: ```bash curl https://api.ngmob.com/api/v1/workflows/executions/{task_id} \ -H "Authorization: Bearer $API_KEY" ```
Confidence: 50% confidence
Finding: https://api.ngmob.com/

External Transmission

Medium

Category: Data Exfiltration
Content: "author": "your-name", "type": "api", "category": "image-generation", "endpoint": "https://api.ngmob.com/api/v1/workflows/Awtk0EnhqBGkoOExvseI/run", "method": "POST", "headers": { "Content-Type": "application/json",
Confidence: 50% confidence
Finding: https://api.ngmob.com/

External Transmission

Medium

Category: Data Exfiltration
Content: ], "polling": { "enabled": true, "url": "https://api.ngmob.com/api/v1/workflows/executions/{{task_id}}", "method": "GET", "headers": { "Authorization": "Bearer {{API_KEY}}"
Confidence: 50% confidence
Finding: https://api.ngmob.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal