Seedream5

Security checks across malware telemetry and agentic risk

Overview

This image-generation skill is coherent and disclosed: it uses a Volcengine API key to send prompts or selected images to Volcengine and save generated images locally.

Install only if you are comfortable using a Volcengine API key and sending prompts or chosen reference images to Volcengine. Avoid confidential images, secrets, or regulated personal data unless you have reviewed the provider terms, and choose output filenames carefully because the script writes to the path you provide.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill documentation indicates capabilities that access environment variables, write files, and make network requests, but it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: users or orchestrators may approve the skill without understanding that it will use an API key, contact an external service, and save output locally. In this context those capabilities are expected for an image-generation skill, which lowers suspicion of malicious intent, but undeclared capabilities still increase risk and can undermine least-privilege controls.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal