wan-image-gen

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Alibaba Cloud DashScope image-generation helper that uses an API key, sends prompts to the provider, and saves generated images locally as documented.

Install only if you are comfortable sending prompts and related request details to Alibaba Cloud/DashScope and using a DashScope API key. Prefer a dedicated API key, avoid secrets or sensitive personal/business data in prompts, start with --dry-run or low-cost settings, and choose an output directory you are comfortable storing generated images in.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Low

Confidence: 81% confidence
Finding: The skill states that it will automatically download generated images to the local filesystem, but does not prominently warn users that files will be written locally. This can lead to unexpected local persistence of potentially sensitive or inappropriate generated content, especially in shared environments or automated agent workflows.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation instructs users to configure an API key and use a remote Alibaba Cloud image-generation service, but does not clearly warn that prompts, negative prompts, seeds, and related request metadata are transmitted to a third party. This is dangerous because users may unknowingly send sensitive business data, personal information, or confidential creative material to an external provider.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal