Back to skill

Security audit

Tomoviee Image Recognition

Security checks across malware telemetry and agentic risk

Overview

This is a normal third-party image-mask API helper, but users should treat submitted images and API credentials as shared with Tomoviee/Wondershare.

Install only if you are comfortable sending image URLs, prompts, task metadata, and Tomoviee/Wondershare API credentials to the provider. Use a dedicated API key, avoid private or regulated images unless third-party processing is allowed, do not paste secrets into shared terminals or logs, and keep use scoped to image-mask generation despite the broader bundled reference docs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is described as an image recognition/mask-generation capability, but the referenced guide instructs across unrelated video, image synthesis, and audio generation APIs. This scope mismatch can cause an agent to invoke capabilities outside the declared purpose, increasing the attack surface and enabling prompt or workflow abuse through unintended tool usage. In this context, the issue is more dangerous because broad multimodal generation guidance is embedded in a narrowly scoped skill, which may confuse downstream routing and policy enforcement.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script accepts API credentials as command-line arguments and emits a derived authentication credential to stdout. This is dangerous because command-line arguments can be exposed via shell history, process listings, CI logs, and terminal capture, and the printed Basic token is directly reusable as an authorization secret.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger description, 'Use when users request image_recognition operations or related tasks,' is broad enough to match loosely related requests, increasing the chance the skill is invoked unexpectedly. Because the skill sends images to a third-party service, over-broad routing can cause unintended data disclosure or misuse in contexts where the user did not expect an external provider to be involved.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The markdown states that images are analyzed via a remote API but does not warn that image URLs or image data will be sent to an external service. This is dangerous because images often contain sensitive personal, proprietary, or location-revealing information, and users may unknowingly expose that data to a third party.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation instructs users to send image URLs and optional callback URLs to a third-party API without disclosing that user-provided images, derived metadata, and callback destinations are shared externally. This creates a real privacy and data-handling risk because users may submit sensitive images or internal URLs without informed consent, and callbacks can expose workflow metadata to external systems.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill promotes workflows for segmenting, editing, and removing people from photos without any guidance on consent, authenticity, or responsible handling of personal imagery. In context, this increases the risk of privacy violations, deceptive image manipulation, and misuse involving identifiable individuals, especially because the feature is framed as easy and automated.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script handles sensitive credentials unsafely by taking the app secret from argv and printing the resulting Basic authorization token. Even though the token is only base64-encoded and not encrypted, users may treat it as harmless text and inadvertently leak live API access through logs, screenshots, shell history, or copied terminal output.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.