Back to skill

Security audit

imageReader

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for reading chat images, but it needs review because it handles chat credentials and attachments with loosely scoped downloading and storage behavior.

Install only if you are comfortable granting chat bot or app credentials that can read messages and download attachments. Use least-privilege platform scopes, restrict the bot to the needed chats or workspaces, avoid broad direct URL inputs, and treat downloaded images as sensitive local files that may also be processed by the configured image analysis tool.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Tainted flow: 'url' from requests.get (line 117, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
def download_discord_image(url: str, output_path: str) -> str:
    """Download image from Discord (direct URL)."""
    resp = requests.get(url)
    resp.raise_for_status()
    
    with open(output_path, "wb") as f:
Confidence
95% confidence
Finding
resp = requests.get(url)

Tainted flow: 'media_url' from requests.get (line 152, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
media_url = resp.json()["url"]
    
    # Download media
    resp = requests.get(media_url, headers={"Authorization": f"Bearer {token}"})
    resp.raise_for_status()
    
    with open(output_path, "wb") as f:
Confidence
83% confidence
Finding
resp = requests.get(media_url, headers={"Authorization": f"Bearer {token}"})

Tainted flow: 'download_url' from requests.get (line 171, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
download_url = resp.json()["file"]["url_private_download"]
    
    # Download file
    resp = requests.get(download_url, headers={"Authorization": f"Bearer {token}"})
    resp.raise_for_status()
    
    with open(output_path, "wb") as f:
Confidence
88% confidence
Finding
resp = requests.get(download_url, headers={"Authorization": f"Bearer {token}"})

Tainted flow: 'url' from requests.get (line 117, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
def download_direct_url(url: str, output_path: str, headers: dict = None) -> str:
    """Download image from direct URL."""
    resp = requests.get(url, headers=headers or {})
    resp.raise_for_status()
    
    with open(output_path, "wb") as f:
Confidence
97% confidence
Finding
resp = requests.get(url, headers=headers or {})

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list includes broad everyday phrases like 'analyze image' and 'read image from chat', which can cause the skill to activate in contexts the user did not intend. Because this skill has network access and permissions to read chat messages and download attachments, accidental activation could lead to unnecessary access to private message content or media.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.