openai-vision

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward OpenAI image-analysis skill, but users should remember that selected images may be sent to OpenAI for processing.

Install/use this only for images you are comfortable sending to OpenAI. Be careful with screenshots, IDs, medical or financial documents, credentials, source code, customer data, or confidential business material; redact sensitive parts first and use a revocable OpenAI API key with appropriate billing and data-retention controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill encourages uploading images from URLs and local files to OpenAI vision APIs without a prominent privacy warning that image contents, embedded text, and potentially sensitive personal or confidential information will be transmitted to a third-party service. In this context, the skill is specifically designed for image ingestion and OCR, which increases the risk of accidental exfiltration of sensitive data from local files or internal images.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal