Dynamic import via __import__()
Medium
- Category
- Dangerous Code Execution
- Content
item["msg"] = "脚本不存在" else: try: mod = __import__(s) v = getattr(mod, "VERSION", None) if v: item["status"] = "ok"- Confidence
- 84% confidence
- Finding
- mod = __import__(s)
Huo15 Img Prompt
Security checks across malware telemetry and agentic risk
Overview
This is a real image-prompt toolkit, but it includes prompt-safety bypass helpers and several under-scoped data, credential, and persistence behaviors that warrant review before installation.
Install only if you are comfortable with a prompt toolkit that can send prompts/images to external providers, use API keys from your environment, fetch remote image URLs, and persist creative material locally. Avoid using the safety_lint or polish features to bypass provider rules, run the Web UI on localhost only, do not set custom ANTHROPIC_BASE_URL unless you trust the endpoint, and review or delete ~/.huo15 and any Obsidian exports if prompts or reference images are sensitive.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
- System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
- Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
- Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (23)
Intent-Code Divergence
Medium
- Confidence
- 96% confidence
- Finding
- The 'safety_lint' feature is framed as harmless compliance polishing, but the documented examples explicitly rewrite sensitive or prohibited content into euphemistic variants intended to pass platform filters. This is dangerous because it operationalizes policy evasion and can help transform disallowed violence, nudity, or other restricted content into prompts optimized to bypass safeguards.
Description-Behavior Mismatch
Medium
- Confidence
- 89% confidence
- Finding
- This prompt-enhancement tool also writes user-derived content into local storage locations such as an Obsidian vault and session files, expanding its data-handling scope beyond what users may expect from a text transformation utility. That creates privacy and integrity risk because sensitive prompt content may be persisted to disk or injected into personal knowledge bases without strong disclosure, path restrictions, or content sanitization beyond filename cleanup.
Description-Behavior Mismatch
Medium
- Confidence
- 91% confidence
- Finding
- The script can forward user prompts to external Claude-based modules for suggestion and polishing, which changes the trust boundary from local prompt processing to third-party processing. If users provide sensitive creative, personal, or proprietary content, it may be transmitted off-host without sufficiently prominent disclosure in the execution path.
Context-Inappropriate Capability
Medium
- Confidence
- 87% confidence
- Finding
- The code probes environment variables and common filesystem paths to locate an Obsidian vault, which reveals awareness of local user data layout and broadens the file-access surface. While not directly exfiltrating data, this behavior is more invasive than necessary for core prompt enhancement and can surprise users by targeting personal knowledge repositories automatically.
Description-Behavior Mismatch
Medium
- Confidence
- 89% confidence
- Finding
- The script fetches arbitrary user-supplied URLs with urllib before sending the resulting bytes to the Vision API. This creates an SSRF-style/network egress surface and can be abused to access internal services, cloud metadata endpoints, or other unintended network locations, which is broader than a local image review helper needs.
Context-Inappropriate Capability
Medium
- Confidence
- 93% confidence
- Finding
- Allowing ANTHROPIC_BASE_URL to override the API endpoint means image data, prompts, and the API key can be sent to any attacker-controlled server if the environment is influenced. In a skill or agent environment, that turns a normal API call into full exfiltration of sensitive inputs and credentials.
Description-Behavior Mismatch
Medium
- Confidence
- 95% confidence
- Finding
- The script explicitly aims to rewrite prompts so they are less likely to be flagged by image-model safety systems, which goes beyond ordinary prompt-help functionality and into policy-evasion assistance. Even if some use cases are framed as legitimate art creation, the mechanism can be used to preserve disallowed intent while bypassing downstream safeguards.
Intent-Code Divergence
High
- Confidence
- 98% confidence
- Finding
- The documentation claims the tool blocks real-person political defamation, but the implemented hard blocks only cover real-person sexual content. This mismatch can create a false sense of safety and allow users to rely on the tool while it silently permits harmful defamatory prompt rewriting or passage.
Context-Inappropriate Capability
Medium
- Confidence
- 93% confidence
- Finding
- The UI loads JavaScript from https://cdn.tailwindcss.com at runtime, which creates a real third-party code execution dependency in a server that is presented as local and dependency-free. If the CDN, network path, or injected script is compromised, arbitrary script can run in the browser with access to everything entered into the UI, including prompt content and any data returned by the local API.
Intent-Code Divergence
Medium
- Confidence
- 89% confidence
- Finding
- The claim of being pure standard-library and dependency-free is contradicted by the embedded HTML importing third-party CDN code. This mismatch is security-relevant because users may trust the tool as fully local/offline when it actually depends on remote code, increasing the likelihood of unsafe deployment in sensitive environments.
Vague Triggers
Medium
- Confidence
- 88% confidence
- Finding
- The trigger list includes highly generic phrases such as '文生图', '文生视频', '提示词增强', and related common workflow terms, making accidental activation likely in normal conversation. Overbroad invocation is dangerous here because the skill can perform networked operations, file writes, and persistence features, so an unintended trigger may cause side effects the user did not mean to authorize.
Vague Triggers
Medium
- Confidence
- 91% confidence
- Finding
- The documentation explicitly says the agent should automatically call the skill when it recognizes keywords like '赛博朋克,' without defining strict boundaries or confirmation requirements. This ambiguity is risky because keyword-based activation can misfire on ordinary discussion and launch tools that touch the filesystem, external services, or stored sessions without informed user consent.
Missing User Warnings
Medium
- Confidence
- 95% confidence
- Finding
- The API key check reveals the first 8 characters of each configured secret in terminal and JSON output. Partial credential disclosure can aid correlation, fingerprinting, log leakage, and secret-matching across systems, especially if output is captured in CI logs, screenshots, or shared diagnostics.
Missing User Warnings
Medium
- Confidence
- 84% confidence
- Finding
- The script writes user-controlled content into Markdown and YAML-like frontmatter inside an Obsidian vault without explicit warning at the write site or robust escaping of content fields. This can cause unintended note injection, malformed frontmatter, or unsafe rendering/plugin interactions in downstream tooling that processes vault content.
Missing User Warnings
Medium
- Confidence
- 78% confidence
- Finding
- The script can send user-provided prompts to several third-party cloud inference services and uses environment-sourced API credentials, but it provides no explicit runtime privacy or exfiltration warning when remote backends are selected. In an agent-skill context, users may assume prompt rendering is local or may not realize sensitive prompts are being transmitted externally, increasing data leakage risk.
Missing User Warnings
Medium
- Confidence
- 89% confidence
- Finding
- The script will fetch arbitrary HTTP(S) URLs provided by the user without any explicit warning that running it causes outbound network access. In an agent or skill context, this can unexpectedly disclose the user's IP address, environment egress behavior, and potentially trigger requests to attacker-controlled infrastructure, making SSRF-style or privacy-impacting misuse more plausible.
Missing User Warnings
Medium
- Confidence
- 86% confidence
- Finding
- The function sends user-supplied reference images to Anthropic's external API, but the call site provides no explicit runtime warning, consent check, or privacy notice. In this skill's context, users may pass personal, copyrighted, or sensitive images, so silent transmission to a third party creates a real privacy and data-handling risk even if it is not code-execution related.
Missing User Warnings
Medium
- Confidence
- 89% confidence
- Finding
- The learned preset persisted to ~/.huo15/learned_presets includes source_images and per_image_specs, which may reveal private file paths, URLs, and derived descriptions of sensitive content. Persisting this data without an explicit warning, retention control, or minimization can expose user information to other local users, backups, sync tools, or later unintended reuse.
Ssd 1
Medium
- Confidence
- 89% confidence
- Finding
- The system prompt explicitly instructs the model not to refuse and to artistically reframe borderline unsafe terms instead of rejecting them. This weakens safety controls and can increase the chance that disallowed sexual, violent, or otherwise policy-sensitive content is transformed into output that bypasses downstream moderation expectations.
Ssd 1
High
- Confidence
- 98% confidence
- Finding
- Labeling the tool as 'compliance polishing' obscures that it is designed to help prompts get accepted by replacing risky wording with safer-looking alternatives. That framing increases danger because users and reviewers may underestimate that the tool materially assists circumvention of model-provider safety policies.
Ssd 2
High
- Confidence
- 99% confidence
- Finding
- The substitution table converts explicit risky terms like violence, nudity, death, weapons, and real-person references into euphemistic artistic phrases while often retaining the original concept. This is dangerous because it directly operationalizes safety-filter evasion at scale and can be used to launder prohibited prompts into forms more likely to pass downstream moderation.
Ssd 4
Medium
- Confidence
- 94% confidence
- Finding
- The documented workflow explicitly optimizes prompts against platform-specific strictness, creating a procedural bypass path: detect what may trigger filters, soften it, and tailor wording to maximize acceptance. In context, this makes the skill more dangerous because it is not incidental rewriting but a systematic moderation-evasion pipeline.
VirusTotal
VirusTotal findings are pending for this skill version.