Security audit

BBDuck

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local image-compression skill, with the main caution that it asks users to run a third-party Docker container that exposes a local service port.

Install only if you are comfortable running the referenced Docker image locally. Prefer pinning a reviewed image version or digest, bind the port to localhost with 127.0.0.1:28642:8000, stop the container when finished, and only send images you intend to compress.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 87% confidence
Finding: The README instructs users to start a Docker container with a host port published to all interfaces (`-p 28642:8000`) but does not explain the security implications of exposing a local service. If the host is on an untrusted network or firewall rules are permissive, other systems may reach the service and interact with image-processing endpoints unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.