Back to skill

Security audit

Doubao Image Generator — AI 文生图工具 based on SeeDream 5.0

Security checks across malware telemetry and agentic risk

Overview

This image-generation skill has a coherent purpose, but it needs review because it can send prompts to a third-party API, partially expose API keys in diagnostics, and includes unsafe advice about bypassing content filters.

Install only if you are comfortable sending prompts to Volcengine ARK and managing a paid API key. Avoid using it with secrets, private business text, or sensitive personal data, and review or remove the diagnostic key-printing and content-filter bypass guidance before relying on it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger list includes broad everyday phrases such as '画一张' and '帮我画', which can cause the skill to activate in contexts where the user did not clearly consent to sending content to an external image-generation service. In an agent environment, overly permissive activation increases the chance of accidental prompt transmission, unexpected charges, and privacy leaks from normal conversation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README documents sending prompts and an API bearer token to a third-party endpoint but does not clearly warn users that their text will leave the local environment and be processed by an external provider. This creates a privacy and informed-consent risk, especially if users may submit sensitive prompts or misunderstand how their data is handled.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases such as '帮我画', '画一个', and '生成一张...的图' are broad, natural-language patterns that overlap with ordinary conversation. This can cause the skill to activate unexpectedly and send user-provided text to an external image API without a clear, intentional invocation.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The main trigger-word list is ambiguous and lacks scope constraints, making accidental invocation likely in normal chat. In this skill's context, accidental activation is more concerning because it can initiate paid external API requests and disclose user prompts to a third-party service.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script prints the first 10 characters of any configured environment variable, including ARK_API_KEY, to user-visible output. Even partial secret disclosure can aid credential correlation, leak identifiable key prefixes into logs/CI output, and violates the principle that secrets should never be echoed unless explicitly requested and safely masked.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends the user-supplied prompt to a third-party remote API to generate images, but it does not provide an explicit privacy or network-transmission warning at the point of use. In a skill context, users may enter sensitive business or personal text into prompts, so undisclosed outbound transmission can create confidentiality and compliance risk even if this is the intended functionality.

Ssd 2

Medium
Confidence
97% confidence
Finding
The README advises users to modify blocked prompts using 'more euphemistic' wording to get around platform safety controls. Guidance that helps users bypass provider moderation is unsafe because it facilitates policy evasion and can enable prohibited or harmful image-generation requests.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
OPTIMIZATION_REPORT.md:293