Privacy Mask

Security checks across malware telemetry and agentic risk

Overview

The skill appears aimed at image privacy protection, but its automatic prompt hook may run too broadly and change images before they are sent without clear user confirmation.

Install only if you want automatic image redaction before prompts are submitted. Check whether the hook requires explicit opt-in, supports preview/undo, and avoids in-place edits unless you confirm.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger conditions are broad enough to activate on generic privacy- or image-related language, which can cause the skill to run when the user did not explicitly request masking. Because this skill has a UserPromptSubmit hook that intercepts images and can modify files or cached images before API submission, unintended invocation could alter user workflows, perform unnecessary local processing, or mask content the user expected to preserve.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal