Back to skill

Security audit

Avatar Helper

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be an avatar helper, but it asks the agent to take unsolicited or easily triggered actions that can browse externally and write a local avatar file.

Install only if you are comfortable with the agent browsing an external avatar source and saving an image locally. Before use, require explicit confirmation for downloads, verify the destination path, and avoid enabling any unsolicited post-install messaging or default intimate persona behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The changelog explicitly advertises that the skill will proactively message users immediately after installation, but it does not mention any prior consent, opt-in flow, rate limiting, or ability to disable the behavior. This creates a real autonomy and UX risk because the agent is designed to initiate interaction unprompted, which can surprise users, violate platform expectations, or be used for manipulative engagement patterns.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The example dialogue hardcodes a specific intimate/roleplay tone and language style (e.g. '哥哥/主人') without indicating that the user selected or consented to that persona. This is risky because it can impose unwanted cultural, relational, or sexualized framing on users, making the skill more manipulative and inappropriate when combined with unsolicited proactive messaging.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger phrases are broad, generic requests like '下载头像' and '换个头像' that can easily appear in normal conversation, increasing the chance the skill activates unintentionally. Because the skill is designed to proactively browse a website and download a file to a fixed local path, accidental invocation can cause unexpected network access and local file writes without the user clearly intending to invoke this specific skill.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are generic requests like '帮我挑头像' and '下载头像', which are likely to appear in normal conversation and can cause the skill to activate unintentionally. In this skill, that unintended activation is more concerning because activation may lead to browser actions and downloading a file to local storage, increasing the chance of unauthorized side effects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly states it will download an avatar to local storage and later shows a curl command writing to workspace/assets/avatar.jpg, but it does not present a clear upfront warning or explicit consent flow for file creation/modification. This is dangerous because users may not realize the skill performs local writes, and accidental activation or ambiguous consent could result in unwanted file changes or content being stored from an external site.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list contains broad, natural-language phrases such as '下载头像' and '换个头像' that are likely to appear in ordinary user conversations, which can cause the skill to activate unintentionally. Because this skill appears to perform proactive avatar selection/download behavior and integrates with an external wallpaper site, accidental activation increases the chance of unexpected external actions or content suggestions without clear user intent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.