Security audit

PhotoPlus Album Downloader

Security checks across malware telemetry and agentic risk

Overview

This is a real PhotoPlus album downloader, but it fetches and runs mutable third-party code and can install Python packages without pinning or verification.

Review before installing. Use only for albums you own or have permission to archive, prefer --dry-run first, avoid --install-deps unless you accept Python package installation, and consider using a pinned, reviewed copy of the upstream downloader instead of letting the wrapper fetch the live main branch.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill documentation instructs the agent to run Python scripts that perform network access, invoke shell commands, and optionally install dependencies, yet the skill declares no permissions for those capabilities. This creates a transparency and policy-enforcement gap: an agent or reviewer may treat the skill as lower risk than it is, while the skill can still fetch remote code/data and execute commands that affect the local environment.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: This wrapper fetches code from GitHub or a raw URL at runtime and then executes it locally, which creates a software supply-chain execution path far beyond simple album downloading. If the upstream repository, branch, network path, or fetched content is compromised, users will run attacker-controlled code on their machine.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script can invoke pip install on requirements obtained from the cloned repository, allowing arbitrary package installation and execution of setup/build hooks from untrusted or mutable upstream dependencies. This expands the attack surface from one downloaded script to the entire dependency tree and can modify the user's Python environment.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill silently performs high-risk actions—cloning/downloading code, optionally installing packages, and then executing the result—without an explicit warning proportional to that risk. In the context of an album downloader, users are likely to expect network access to the album service, not arbitrary third-party code retrieval and local execution.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal