ClawHub

Apple Photos Cleaner

Security checks across malware telemetry and agentic risk

Overview

This skill is a local Apple Photos analysis and cleanup toolkit whose sensitive access is mostly disclosed and aligned with its purpose, though users should read the cleanup and privacy implications carefully.

Install only if you are comfortable giving the skill local access to sensitive Apple Photos metadata such as names, faces, places, filenames, dates, and favorites. Use preview or plan-only modes first, inspect cleanup candidates, and only run --execute after confirming the exact items to move to Recently Deleted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (14)

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The document repeatedly assures readers that all operations are read-only, yet it also documents a cleanup executor that can move photos to Recently Deleted via AppleScript. This mismatch is dangerous because users or downstream agents may authorize or invoke the skill under a false safety assumption, leading to unintended destructive actions against a sensitive personal photo library.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The guidance says cleanup candidates must be deleted via Photos.app, but elsewhere the skill exposes an AppleScript-based cleanup executor that can perform the action itself. This inconsistency can mislead an agent into presenting the skill as advisory-only when it in fact supports direct state changes, weakening informed consent and safe execution boundaries.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The Safety & Permissions section claims all operations are read-only and that no photos are modified or deleted, directly contradicting the documented cleanup executor. In a skill that processes highly personal data, inaccurate safety claims materially increase the risk of accidental deletion and unsafe trust by users and orchestrating agents.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger list is unusually broad and includes generic phrases around cleanup, organization, storage, and photos, which raises the chance of the skill being invoked in contexts where the user did not intend deep analysis of a private photo library. Because the skill can expose sensitive metadata and also includes cleanup actions, over-broad activation increases privacy and safety risk.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill prominently describes analysis of faces, people, locations, shared libraries, and behavioral patterns, but it lacks a clear upfront privacy warning about the sensitivity of that metadata. Users may not realize the skill can infer relationships, locations, habits, and shared-content details from their library, creating informed-consent and data-minimization concerns.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This script processes and displays named face-identification data and ranks portraits per person without any visible consent check, privacy notice, or access-control safeguard in the skill itself. Even if intended for personal photo analysis, exposing biometric/person-linked metadata can create privacy harm through unauthorized profiling, identification, or disclosure of sensitive relationships and photo contents.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This script analyzes highly sensitive Apple Photos metadata, including hidden items, favorites, geolocation presence, and identified people, but provides no user-facing warning, consent prompt, or scope limitation before processing and displaying that data. In an agent/skill context, this increases privacy risk because users may not realize the tool enumerates private attributes and surfaces them in output, which could expose intimate behavioral or identity information.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This script processes highly sensitive photo metadata, including precise GPS coordinates, travel history, and recognized people associated with locations, then summarizes and outputs that information without any explicit privacy warning, consent check, or minimization controls. In a photo-analysis skill, that creates meaningful privacy risk because the resulting output can reveal home/work patterns, trips, and social relationships from a user's library.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This code enumerates and returns sensitive photo-library metadata including filenames, timestamps, favorites, geolocation, scene classifications, and identified people from face-recognition tables. Even though it appears intended for a legitimate memory feature, exposing this data without an explicit privacy notice, minimization, or consent gate can leak highly sensitive personal information to callers or downstream tools.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This script performs sensitive analysis over named people in a photo library, including identity-linked counts, timelines, 'best photos,' favorites, and co-occurrence relationships, but provides no clear privacy warning, consent check, or output minimization. In this context, the skill materially increases privacy risk because it turns raw personal photos into structured social and behavioral intelligence that could be exposed, logged, or misused by an operator who does not appreciate the sensitivity.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The search results include raw latitude and longitude for each matched photo and the formatted output exposes scene/content-based photo discovery, which can reveal sensitive location history tied to personal content. In a photo-analysis skill, combining semantic search (for example, family, child, home, beach) with precise coordinates materially increases privacy risk and can enable stalking, home/work inference, or deanonymization if results are shared or logged.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The formatter emits potentially sensitive local photo library metadata directly to human-readable output, including filenames, creation dates, dimensions, file types, and a ranked list of the largest files. In the context of an agent skill, this can expose private user content or behavioral information in logs, terminal history, downstream tool outputs, or shared reports without any explicit warning, consent gate, or redaction.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The narrative output intentionally includes sensitive derived data such as identified people names and precise GPS coordinates, and it does so without any consent check, redaction, or user-facing privacy warning. In this skill’s context, the output is specifically designed for recap/narration, which increases the chance that sensitive personal data is copied, logged, shared with downstream AI systems, or exposed to unintended recipients.

Unvalidated Output Injection

High
Category
Output Handling
Content
)

    try:
        result = subprocess.run(
            ["osascript", "-e", applescript],
            capture_output=True,
            text=True,
Confidence
79% confidence
Finding
subprocess.run( ["osascript", "-e", applescript], capture_output

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal