Long Image Slicer

Security checks across malware telemetry and agentic risk

Overview

This skill locally slices user-provided long screenshots into images and documents, with expected file and optional URL handling but no evidence of hidden or destructive behavior.

Install dependencies in a virtual environment where possible, use only trusted screenshots or image URLs, avoid pointing it at sensitive local files unnecessarily, and remember that generated slices, ZIP/DOCX, and PDF files may contain private screenshot content saved on disk.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill instructs the agent to read local files via a user-supplied path and to save artifacts, but it declares no permissions. Undeclared file access weakens transparency and policy enforcement, and the local-path option could expose arbitrary files if the runtime does not independently constrain access.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill supports downloading a user-provided URL to /tmp, which introduces network-fetch and local-write behavior without clearly disclosing or constraining it. This can enable SSRF-style access to internal resources or retrieval of untrusted content, and it also writes data to disk as part of processing.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal