pixcakeai

Security checks across malware telemetry and agentic risk

Overview

This skill coherently edits a user-provided photo and optionally adds a watermark, with no evidence of hidden data access, persistence, or exfiltration.

Review that this skill may crop or pad photos to 9:16 and depends on the sharp package without an exact version pin. It appears appropriate for photo enhancement, but avoid sending sensitive images unless you are comfortable with the platform running image-processing code on them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The manifest lists generic trigger phrases like "enhance photo" and "add watermark" without additional scope, exclusions, or context. These phrases are common enough to match ordinary user requests, increasing the chance of unintended skill activation.

Unpinned Dependencies

Low

Category: Supply Chain
Content: "version": "1.0.0", "main": "openclaw-index.js", "dependencies": { "sharp": "^0.33.2" } }
Confidence: 40% confidence
Finding: "sharp": "^0.33.2"

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal