Chinese Image Gen

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local image-rendering helper with manageable network and browser-sandbox cautions, not hidden or destructive behavior.

Install if you are comfortable adding Playwright/Chromium and allowing Google Fonts network requests during rendering. For confidential content, air-gapped systems, or untrusted HTML, use local approved fonts and run the renderer in an isolated environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill explicitly depends on Google Fonts CDN for rendering Chinese text, which causes outbound network requests during image generation. Without a clear warning, users may unknowingly expose usage metadata, IP address, timing, and possibly prompt-derived content context to a third party, which is especially problematic in privacy-sensitive or air-gapped environments.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The example HTML includes a remote stylesheet from fonts.googleapis.com and the rendering flow waits for network idle, normalizing external fetches as part of routine execution. If users paste sensitive or proprietary content into generated HTML, they may not realize the render step depends on third-party network access, creating privacy, compliance, and reliability risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal