Back to skill

Security audit

Animated Sticker Maker

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward local animated-sticker maker, with dependency hygiene risks but no evidence of hidden data access or malicious behavior.

Before installing, use an isolated environment and ensure dependency resolution installs a current patched Pillow release rather than an old 10.0.x version. Treat generated packages as containing user-derived image material, and use --include-reference only when you intentionally want the original image copied into the output package.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Unpinned Dependencies

Low
Category
Supply Chain
Content
Pillow>=10.0,<13
numpy>=1.24
Confidence
83% confidence
Finding
numpy>=1.24

Known Vulnerable Dependency: Pillow==10.0 — 10 advisory(ies): CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2024-28219 (Pillow buffer overflow vulnerability); CVE-2023-4863 (libwebp: OOB write in BuildHuffmanTable) +7 more

Critical
Category
Supply Chain
Confidence
95% confidence
Finding
Pillow==10.0

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.