Back to skill

Security audit

Beauty Karma

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: it analyzes a user-chosen portrait with MiniMax and creates a shareable report, with privacy and local-preview cautions.

Install only if you are comfortable sending selected portrait photos to MiniMax or another configured endpoint. Use mock mode for local demos, avoid untrusted image URLs, do not point imagePath at non-photo files, and run the preview server only from the skill directory or another directory you are comfortable exposing locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill documentation indicates use of environment variables and outbound network access, but it declares no permissions or capability disclosures. This creates a transparency and governance gap: users and reviewers may not realize the skill can access API keys and transmit data externally, which is especially relevant because it processes portrait photos.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill accepts an arbitrary imageUrl and later embeds that URL directly into the generated HTML as an <img> source. When a user opens the report, the browser may fetch attacker-controlled remote content, enabling tracking, unexpected network access, and misuse of the report generator as a remote-content loader outside the stated selfie-analysis purpose.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The implementation does not perform the portrait-analysis functionality described in the skill metadata and instead runs a generic static file server. This mismatch is security-relevant because it broadens the exposed behavior beyond the declared purpose, making review, permission scoping, and user trust assumptions inaccurate; in agent ecosystems, undeclared file-serving behavior can become an unintended data exposure surface.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The server constructs a filesystem path from the request pathname and reads that file from disk, which exposes local file-serving capability unrelated to the skill's stated purpose. The path sanitization is insufficient because absolute paths can override the intended root when passed to join, and normalization plus a simple leading '..' replacement does not robustly confine access to a safe directory, creating a risk of arbitrary local file disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill accepts portrait images via local path, URL, or base64 and sends them to an external AI service, but it does not clearly warn users that their photos may be transmitted to a third party. Because portrait photos are highly sensitive biometric-adjacent personal data, lack of explicit disclosure and consent materially increases privacy risk and can lead to unintended exposure or regulatory issues.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code sends user-supplied portrait images or image data URLs to the external MiniMax API for analysis. Because these are personal images and this file contains no consent, disclosure, minimization, or retention controls, users may unknowingly transmit sensitive biometric-like content to a third party.

External Transmission

Medium
Category
Data Exfiltration
Content
- Model: `MiniMax-M3`.
- Real analysis requires `MINIMAX_API_KEY`.
- Default endpoint: `https://api.minimax.io/v1`.
- Override with `MINIMAX_BASE_URL` if needed.

## Safety Boundaries
Confidence
79% confidence
Finding
https://api.minimax.io/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/run-skill.js:184