Image Manager

Security checks across malware telemetry and agentic risk

Overview

This appears to be a local image-management skill whose main privacy risk is retained local image data and metadata, not hidden or malicious behavior.

Install only if you are comfortable with the agent storing images and related metadata locally for search and reuse. Prefer using a dedicated folder, avoid indexing sensitive personal or financial images unless needed, and periodically review or delete the media directory and index file.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Low

Confidence: 92% confidence
Finding: The skill instructs users to save images and create a persistent local index, but it does not clearly warn that both image files and associated metadata will be written to disk. This can lead users to unknowingly store sensitive content such as personal photos, receipts, tags, descriptions, and timestamps in a searchable local repository, increasing privacy and data-retention risk.

Vague Triggers

Low

Confidence: 87% confidence
Finding: The description states broad capabilities such as indexing, compression, classification, and quick search of local images, but it does not define when the skill should activate, what directories it may access, or what safety constraints apply. In an agent environment, vague scope can cause overbroad invocation and unintended access to local files, increasing the chance of privacy or data-handling issues.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal