TryHair AI

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says, but it can upload sensitive face photos and a TryHair UID with broad implicit triggers and only optional confirmation.

Install only if you are comfortable sending selected face photos and your TryHair UID to tryhair.ai. Before each run, confirm which image and style will be used, watch for credit usage, avoid private/internal image URLs, and delete generated files from the output directory when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (12)

Tainted flow: 'filepath' from requests.post (line 196, network input) → open (file write)

Medium

Category: Data Flow
Content: os.makedirs("output", exist_ok=True) filepath = f"output/output_{safe_style}_{timestamp}.jpg" with open(filepath, 'wb') as f: f.write(base64.b64decode(data['image_base64'])) style = data['hairstyle']
Confidence: 77% confidence
Finding: with open(filepath, 'wb') as f:

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The skill persists generated hairstyle images to local disk even though that storage behavior is not disclosed in the described functionality. Because the images are face-related and potentially sensitive, undisclosed retention increases privacy risk, leaves artifacts on the host, and may expose user data to other local users or later processes.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The trigger guidance for hairstyle try-on is broad enough to activate on common appearance-related requests once a photo is present, which can cause the agent to send a user's face photo and UID to an external service without sufficiently explicit consent for that specific action. In a skill that processes biometric-like face imagery and consumes credits, ambiguous invocation increases both privacy and unintended transaction risk.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The face-shape trigger overlaps with general hairstyle recommendation requests, making it possible for the agent to invoke external face analysis when the user may only want non-invasive advice. Because this action analyzes facial features and may consume credits, ambiguous routing can lead to unnecessary disclosure of sensitive face data to a third party.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The README instructs users to upload a face photo and provide a UID for processing by tryhair.ai but does not prominently warn that sensitive facial images and identifiers are being transmitted to an external service. This is dangerous because face photos are highly sensitive personal data, and users may not understand the privacy, retention, sharing, and account-billing implications before use.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger phrases include highly generic language such as "try this" and "try that shag one," which can easily appear in normal conversation and unintentionally launch image-processing actions. Because this skill operates on user photos and can consume credits or send data to an external API, ambiguous triggers raise the risk of unauthorized or accidental processing.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The action trigger section again authorizes generic phrases like "try this" and "try it" without strict contextual checks. In a multimodal session where images and prior recommendations are retained, this can cause stale or unintended context reuse and trigger sensitive image processing without sufficiently clear consent.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: Allowing a bare style name alone to count as execution intent is overly permissive, because many style names can occur in ordinary discussion rather than as a command. This increases the chance that the skill will perform try-on generation, process a stored image, or incur external-service actions when the user was only discussing options.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill permits reuse of a previously provided image or identifier within the same session and says confirmation is optional. Because face photos are sensitive biometric-related data and the UID links activity to an account/session, optional confirmation creates a real risk of processing or transmitting sensitive data based on stale context the user did not intend to reuse.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The default prompt uses a broad natural-language invocation phrase ('Use tryhair-openclaw to analyze my face shape or preview new hairstyle from my photo') while implicit invocation is enabled, which can cause the skill to activate from loosely related user requests involving photos, appearance, or hairstyle changes. In a skill that processes user images and biometric-adjacent face-shape data, unintended activation increases privacy risk and may trigger photo handling without sufficiently explicit user intent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill uploads a user's face image and UID to an external service without any user-facing notice or consent flow in the script. Because facial images are sensitive biometric data, silent transmission to a third party creates a meaningful privacy and compliance risk even if the destination service is legitimate.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The face-shape analysis path also sends biometric image data and a user identifier to an external API without explicit disclosure. In this skill context, the network transfer is functionally expected, but the lack of transparency makes it more dangerous because users may not realize their sensitive face data leaves the local environment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal