WaveSpeedAI Face Swapper

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate face-swap instruction skill, but it handles highly sensitive likeness media and lacks clear consent, privacy, and misuse guardrails.

Review this carefully before installing. Use it only with media you own or have explicit permission to edit, and only when every identifiable person has consented. Avoid impersonation, fraud, harassment, sexualized edits, or deceptive publication. Check WaveSpeed's privacy, retention, deletion, and output-use terms before uploading sensitive photos or videos.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly enables image and video face swapping, including multi-face targeting and watermark-free output, but provides no safety warning about consent, impersonation, harassment, fraud, or deceptive media creation. That omission increases the likelihood of misuse because the capability is presented as a straightforward utility without policy guardrails, making harmful or non-consensual use easier to normalize and operationalize.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal