Back to skill

Security audit

BeautyPlus portrait beauty, outfit change, photo restoration

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed BeautyPlus image-editing skill that sends selected media to paid external processing and optional chat-delivery services, so it is not hidden or malicious but should be used carefully with sensitive photos.

Install only if you are comfortable sending selected images to BeautyPlus and, when delivery is enabled, to chat platforms such as Feishu or Telegram. Use scoped API keys, prefer environment variables for tokens, verify recipients before sending, avoid highly sensitive photos unless the provider terms are acceptable, and clear the documented history/cache directories if you do not want local task records retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (26)

Tainted flow: 'img_data' from requests.get (line 82, network input) → requests.post (network output)

Medium
Category
Data Flow
Content
}
    content_type = content_type_map.get(ext, "image/jpeg")

    resp = requests.post(
        "https://open.feishu.cn/open-apis/im/v1/images",
        headers={"Authorization": f"Bearer {token}"},
        data={"image_type": "message"},
Confidence
93% confidence
Finding
resp = requests.post( "https://open.feishu.cn/open-apis/im/v1/images", headers={"Authorization": f"Bearer {token}"}, data={"image_type": "message"}, files={"image":

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The resolve-input command fetches arbitrary user-supplied URLs and also retrieves media from Telegram and Feishu, creating an SSRF-style network access surface and enabling the tool to pull untrusted remote content into the local environment. Even with size limits and scheme checks, allowing unrestricted http/https destinations can expose internal services, metadata endpoints, or sensitive network locations reachable from the host.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill accepts arbitrary http(s) URLs and server-side fetches them with requests before uploading the content onward. This creates a general network-fetch primitive that can be abused for SSRF-style access to internal services, cloud metadata endpoints, or other unintended hosts if an attacker controls image_path.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Fetching arbitrary external URLs and then uploading the result to Feishu is not necessary for a portrait-editing skill and expands the attack surface beyond the stated purpose. In this context, it enables misuse as a generic content fetch-and-forward tool, which is especially concerning because images may contain sensitive personal data.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file implements Feishu credential use and message delivery, which is materially outside the manifest's declared image editing/beautification scope. Scope mismatch is dangerous in agent skills because it can hide covert exfiltration or unsolicited outbound messaging capability behind a benign-looking package description.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file's functionality is materially unrelated to the declared beauty/image-editing purpose: it reads Feishu credentials, uploads files, and sends messages to external recipients. In a skill ecosystem, capability mismatch is dangerous because it can hide unauthorized exfiltration or operator-command channels behind an innocent-looking manifest.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script accesses Feishu app credentials from a local configuration file even though the advertised skill purpose does not require messaging integration. Unnecessary credential access increases the blast radius of the skill and creates opportunities for misuse of existing tenant privileges.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This code performs authenticated outbound uploads and message sends to Feishu, including video files and optional links, which is outside the stated beautification scope. In context, that makes the capability especially risky because it can be used to transmit local artifacts or results to third parties without users expecting messaging behavior from the skill.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The script can fetch arbitrary remote cover images from attacker-controlled URLs and then upload the retrieved content onward. Even though requests does not support some URL schemes, this still introduces unnecessary remote retrieval behavior inconsistent with the skill's declared purpose and may be abused for internal network probing or relay behavior in some environments.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
The script's functionality—sending images to Telegram—does not align with the stated purpose of an AI beautification and editing skill. In context, this mismatch is dangerous because it introduces an undocumented outbound communications channel that could be used to export user images or processed results to third-party chats without clear necessity or user expectation.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This script adds a generic outbound messaging/exfiltration capability to a skill that is described as performing image editing, not message delivery or external publishing. In this context, the capability materially increases risk because user photos—potentially intimate or highly sensitive given the body-editing features—can be transmitted off-platform to arbitrary Telegram chats.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script reads a Telegram bot credential despite the manifest not describing Telegram integration or any need for outbound bot access. In context, collecting and using an extra credential expands attack surface and supports undisclosed data egress functionality, making the mismatch more suspicious than it would be in a clearly documented messaging integration.

Description-Behavior Mismatch

High
Confidence
91% confidence
Finding
This script adds Telegram video and message delivery behavior that is not justified by the declared beauty/image-editing purpose of the skill. In a mismatched skill context, outbound sharing features are dangerous because they can be used to export generated or user-supplied media to third-party chats without clear user expectation, increasing exfiltration and privacy risk.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The code supports outbound Telegram bot messaging, video upload, thumbnail fetching, and link sharing, none of which naturally fit a portrait retouching/beautification scope. In this context, such capabilities materially increase the risk that edited images or videos, plus associated URLs, are silently transmitted off-platform, making the mismatch more suspicious and dangerous than it would be in a messaging or social-sharing skill.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The activation rule says to trigger whenever a user requests modifications or enhancements to a photo/image, which is broad enough to invoke the paid remote service on many generic image-related requests. In context, this can cause unintended processing of user images, quota consumption, and unnecessary transfer of media to a third-party API without sufficiently specific user intent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Several trigger phrases such as 'make me look better' or 'add a filter' are common and ambiguous, making accidental invocation likely in ordinary conversation. Because this skill can upload inputs, perform remote processing, and incur billing, vague triggers increase the risk of privacy leakage and unwanted paid actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The example code instructs the agent to read Feishu app credentials directly from the host's OpenClaw configuration and immediately use them to obtain a tenant access token and send a message. Even though this is presented as documentation, it normalizes access to host-stored secrets and external network use without explicit user consent, disclosure, or minimization, which can enable unauthorized secret use and message sending in a real agent environment.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code emits progress logs containing user-supplied or service-returned media URLs via helpers like `_log_outputs_ready`, `_brief_media_ref`, and `safe_url_preview`. Even when truncated, these URLs may still expose sensitive image locations, signed query parameters, task identifiers, or internal storage paths to stderr/log collectors without any user warning or consent, creating a privacy and secret-leakage risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script writes full stdout and stderr from each subprocess into raw audit JSON files, which can capture API errors, task identifiers, URLs, stack traces, or accidentally emitted secrets from the child process. Because this skill processes external services and loads credentials into the environment, preserving unredacted subprocess output increases the chance of sensitive data disclosure through local reports or artifact sharing.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Allowing a Feishu app token to be supplied directly via a CLI argument is dangerous because command-line arguments are often visible to other local users through process listings, shell history, job control tools, and monitoring agents. This can lead to inadvertent credential disclosure even if the code never logs the token explicitly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script silently reads Feishu app credentials from a local config file and immediately uses them to obtain a tenant token over the network, with no user-facing disclosure or consent prompt. In an agent setting, undisclosed credential-bearing requests reduce transparency and can surprise users who believe the skill only edits images locally.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script downloads remote images and uploads image bytes to Feishu without any explicit privacy warning, even though the skill handles portraits and beautification outputs that may be highly sensitive. This undisclosed third-party transmission is risky because users may not realize their photos are leaving the local environment.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script silently reads local credentials and immediately performs authenticated outbound requests without an explicit user-facing warning or consent step. In a mismatched skill context, that lack of transparency increases the risk of unintended data disclosure and covert use of local trust relationships.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The manifest states that user images are sent to a paid external API and that API credentials are required, but it provides no user-facing disclosure about third-party data transfer, retention, or billing implications. In an image-editing skill handling potentially sensitive portraits and body-modification requests, this omission creates meaningful privacy and consent risk because users may unknowingly transmit personal images off-platform.

External Transmission

Medium
Category
Data Exfiltration
Content
cfg = json.loads(open(cfg_path).read())
feishu = cfg["channels"]["feishu"]["accounts"]["default"]

token_resp = urllib.request.urlopen(urllib.request.Request(
    "https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal",
    data=json.dumps({
        "app_id": feishu["appId"],
Confidence
90% confidence
Finding
urllib.request.urlopen(urllib.request.Request( "https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal", data=

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.