linkfoxai-image-tool

Security checks across malware telemetry and agentic risk

Overview

This image-processing skill is coherent and purpose-aligned, but users should understand that it may store a provider API key locally and upload selected images to the provider.

Install only if you are comfortable using a ZNOPEN/Linkfox provider API key and sending chosen images to that provider for processing. Prefer a scoped API key, confirm before letting the agent save it to ~/.znopen/config.json, and review any future package version carefully if it adds actual local scripts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly instructs the agent to read an API key from `~/.znopen/config.json` and, if missing, prompt the user to provide it and then write it back to a local config file, but it gives no warning, consent requirement, or storage-safety guidance. This can lead to users unknowingly persisting sensitive credentials on disk where other local users, processes, backups, or logs may access them.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal