Back to skill

Security audit

Photography Mastery

Security checks across malware telemetry and agentic risk

Overview

This is a text-only photography education skill with broad example prompts but no code execution, sensitive access, persistence, or hidden behavior.

Safe to install as a photography reference skill. Use explicit photography wording when invoking it, and note that the README includes disclosed promotional links to AfrexAI storefront pages and other skills.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The quick-start phrase at this line is a generic natural-language request that could plausibly appear in ordinary user conversation, increasing the chance the skill is invoked unintentionally. While the skill content is not inherently dangerous, broad invocation patterns can cause routing mistakes, unexpected behavior, or unwanted disclosure of the skill’s internal capabilities in multi-skill environments.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The quick-start section contains several broad example prompts such as requests about lighting, lenses, portfolios, and pricing that are common user intents outside a strictly bound skill context. In agents that match skills from README language, this can lead to accidental or excessive invocation, especially when multiple creative, marketing, or business skills coexist.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill defines very generic natural-language triggers such as 'Critique this photo', 'Teach me [technique]', 'Build my portfolio', and 'Monthly practice plan'. Broad phrases like these can collide with ordinary user requests in unrelated contexts, causing the skill to activate unexpectedly and steer the agent into this skill's workflow when the user did not explicitly intend that routing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.