Security audit

Zhy Article Illustrator

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its article-illustration purpose, but it can send article content and API keys to an under-disclosed third-party image relay by default.

Review this before installing. Use it only for articles that may be shared with external image services, set IMAGE_BASE_URL or XIAOMI_BASE_URL to a trusted endpoint instead of relying on defaults, use least-privilege API keys, and keep upload=false unless you intentionally want images hosted through Qiniu/CDN.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (3)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README explicitly states that the skill reads local .env configuration, rewrites article files, and can upload generated images to Qiniu, but it does not prominently warn users about credential exposure, third-party data transfer, or modification of local content. In an agent-driven workflow, this omission can lead users to run the skill on sensitive drafts or with production credentials without understanding that content and secrets may be consumed by external services.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The workflow instructs the agent to send article-derived prompts and optionally upload generated assets to external services, but the skill text does not prominently warn users that article content, extracted concepts, and filenames/metadata may leave the local environment. If the article contains sensitive, unpublished, or regulated material, this can cause unintended third-party disclosure.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script can upload generated images to Qiniu when the --upload flag is used, but this file does not present any explicit disclosure, confirmation, or destination details before transferring files to an external service. In a publishing workflow, generated images may contain proprietary article context or sensitive embedded text, so silent exfiltration to third-party storage increases data handling and privacy risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: scripts/illustrate-article.ts:220

Environment variable access combined with network send.

Critical

Code: suspicious.env_credential_access
Location: scripts/image-gen.ts:62

Environment variable access combined with network send.

Critical

Code: suspicious.env_credential_access
Location: scripts/qiniu-upload.ts:70