image-generator-custom

Security checks across malware telemetry and agentic risk

Overview

This skill openly calls a user-configured image generation API and saves returned images locally, with no evidence of hidden or unrelated behavior.

Install only if you trust the image API provider you configure. Use a scoped API key, verify IMAGE_API_URL before running, avoid confidential or regulated prompt content unless the provider is approved, and run it from a directory where generated PNG files are acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill clearly sends user prompts to a third-party image-generation API, but the documentation does not provide a prominent privacy warning that user content and related request metadata leave the local environment. Users may unknowingly submit sensitive, proprietary, or personal information to an external provider.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal