Crazyrouter Image Gen

Security checks across malware telemetry and agentic risk

Overview

This appears to be a normal image-generation skill that uses Crazyrouter, with a privacy disclosure gap users should understand.

Install only if you are comfortable sending image prompts and related request metadata to Crazyrouter and possibly underlying model providers. Avoid using it with secrets, confidential project details, regulated data, or private personal information unless you have reviewed Crazyrouter’s data handling terms.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The skill description says to use the skill when a user asks to 'generate, create, or draw an image,' which is broad enough to trigger on many ordinary requests without clearly signaling that content will be sent to a third-party provider. In an agentic environment, this can cause over-invocation and unintended external data sharing, especially if user prompts contain sensitive or proprietary information.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The markdown instructs the agent to send user-provided prompts to Crazyrouter but does not warn that prompts and generation requests are transmitted to an external API. This creates a privacy and data-handling risk because users may unknowingly disclose sensitive text, internal project details, or regulated data to a third party.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal