Back to skill

Security audit

Listing Image Optimizer

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate Amazon image-listing workflow, but it needs review because it can change live listings and briefly exposes a local directory through an unauthenticated public web server.

Install only if you are comfortable granting Amazon listing-write credentials and running a temporary public web server. Use a narrowly scoped SP-API role, test on one low-risk SKU first, serve only a dedicated directory containing generated image files, avoid running it from a machine with sensitive files, and review every SKU and image slot before using bulk report-driven uploads.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
81% confidence
Finding
The skill requires access to environment variables, local files, and the network, including SP-API credentials and image upload operations, but does not declare these permissions. Hidden or undeclared capabilities reduce user visibility into what data the skill can access and where it can send it, which is especially risky because it handles seller credentials and can modify live listings.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented behavior materially understates what the skill does: it exposes local image files over a public HTTP server and retrieves the machine's public IP, neither of which is clearly conveyed by the stated purpose. That mismatch is dangerous because users may authorize or run the skill expecting local image processing, while it actually creates external exposure and network reachability that can leak product assets or broaden attack surface.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
Including a title-editing script in a skill presented as an image optimizer expands the operational scope beyond user expectations. Scope creep in automation that has access to seller credentials is risky because it enables modification of unrelated listing attributes, increasing the chance of accidental abuse, policy violations, or unauthorized catalog changes.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
A title-patching capability is not justified by the stated image-optimization purpose and therefore represents unnecessary privilege and functionality. Unnecessary write actions against live listings increase the blast radius of mistakes or misuse, especially when combined with stored SP-API credentials.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The implementation materially diverges from the skill’s advertised behavior: it only audits image metadata and optionally writes a local report, but does not pad images to 2000×2000 or update live Amazon listings. In a skill that claims to make automated live listing corrections via SP-API, this mismatch is dangerous because operators may rely on it for compliance remediation that never occurs, leaving listings broken or noncompliant while creating a false sense of completion.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The documented target is 2000×2000, but the code only treats images smaller than 1000×1000 as problematic. That means images between 1000×1000 and 1999×1999 will be incorrectly treated as acceptable, causing incomplete detection and undermining the skill’s stated purpose in a marketplace context where image requirements directly affect listing quality and policy compliance.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script binds an HTTP server to 0.0.0.0 and serves files from a user-supplied directory so Amazon can fetch them. While this supports the stated workflow, it creates a publicly reachable unauthenticated file service and the path handling does not constrain requests to remain inside the intended directory, which can expose unintended local files if the port is reachable.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill advertises automatic fixing and re-uploading of listing images but does not prominently warn that it modifies live Amazon listings. For seller operations, insufficient disclosure is dangerous because users may trigger irreversible production changes without understanding that the action affects customer-facing content rather than just generating local recommendations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation notes a temporary public HTTP server but does not clearly warn users that fixed images will be exposed on a publicly reachable endpoint during upload. Even if the exposure is short-lived, serving files over an open public port can leak unreleased or proprietary product imagery and unnecessarily exposes the host to scanning or unintended access.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code opens a public HTTP server without any authentication, access restriction, or prominent warning, even though it serves local files for 15 minutes. In the context of a listing-image tool, exposing a local directory to the network is broader than users may expect and increases the risk of accidental data exposure, especially if deployed on a workstation or server with internet reachability.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/audit.js:16

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/push_images.js:17

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/audit.js:25

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/push_images.js:26