Code To Images

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: convert user-provided code files into images and PDFs, with disclosed local tooling requirements.

Install only if you are comfortable running local Python and Node tooling. Prefer a virtual environment or project-local npm install, review the generated script before running it, and only add source files you intend to convert.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill instructs installing a global npm package and running local subprocesses (`node`, Python, and package-based conversion) without prominently warning the user that external code will be installed and executed on the host. This increases supply-chain and execution risk, especially in environments where users may assume the skill is purely declarative or sandboxed.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal