Snap Illustrator

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims, but it asks the agent to permanently save proxy settings inside the skill and can use stored or ambient HuggingFace credentials with limited disclosure.

Review before installing. Use it only with markdown content you are comfortable sending as image prompts to Pollinations or HuggingFace. Do not let it write proxy addresses into SKILL.md; prefer temporary HTTP_PROXY/HTTPS_PROXY environment variables. Check for ~/.config/snap-illustrator/config.json and HF_TOKEN if you do not want HuggingFace credentials used automatically.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (6)

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The skill instructs the agent to modify its own SKILL.md to persist a user-provided proxy setting, creating self-modifying behavior unrelated to the core task of illustrating markdown. Persisting network configuration into the skill definition can silently affect future executions, expand trust boundaries across sessions, and store potentially sensitive infrastructure details on disk.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill directs the agent to modify the original markdown file by inserting generated image links, which is a side-effecting file write. Although the workflow asks for outline confirmation, it does not explicitly warn that the source document will be edited in place, increasing the risk of unintended content changes or overwriting user work.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill tells the agent to persist a user-provided HTTP proxy address into SKILL.md for future reuse without warning that this stores sensitive network configuration to disk. Proxy endpoints can reveal internal infrastructure, corporate routing, or personal networking setup, and embedding them in a shared skill file may expose that data to other users or future runs.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script sends raw prompt text to external image-generation providers, which can expose sensitive article content, proprietary drafts, or personal data if users include them in prompts. In this skill context, prompts are derived from markdown articles, so the chance of transmitting unpublished or confidential content is materially higher than a generic image tool.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The fallback logic may resend the same prompt to a second provider, increasing third-party disclosure without clear user awareness or consent. Because this skill advertises seamless zero-configuration operation on markdown articles, users may reasonably not expect their content to be shared across multiple external services automatically.

Ssd 3

Medium

Confidence: 96% confidence
Finding: Persisting user-supplied proxy details into the skill file for automatic reuse creates cross-run data retention and configuration contamination. This can leak sensitive environment/network information and causes future executions to inherit hidden state from a previous user or session, which is unsafe for reproducibility and privacy.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal