Face8 Celebrity Recognition

Security checks across malware telemetry and agentic risk

Overview

This skill is not overtly malicious, but it can upload face photos and make persistent changes to a third-party face-recognition database, which deserves careful review before use.

Install only if you are comfortable sending the selected photos to face8.ai for face-recognition processing. Avoid using it on private individuals or photos without consent, and be especially careful with --register and --confirm because those options may change Face8's remote face database rather than merely showing a result.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill documentation and required tooling indicate outbound network use to a third-party face recognition API, but the manifest does not clearly declare that network capability/permission. This weakens user awareness and policy enforcement, especially because images of people are sensitive biometric data being transmitted off-device.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The stated purpose is passive celebrity identification, but the documented commands also allow registering new faces and confirming matches, which changes remote Face8 database state. This is more dangerous than described because a user may invoke a skill expecting lookup only, while it can submit labels or confirmations that poison, alter, or expand biometric records on a third-party service.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The manifest describes only identifying celebrities from a photo, but the documentation includes features that register faces and confirm matches against the remote service. That mismatch can mislead users and reviewers about the true scope of biometric processing and remote state modification.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Registering unknown faces into a third-party database is not necessary for simple celebrity identification and introduces significant biometric privacy and integrity risk. It enables users to upload and label individuals, potentially without consent, and can contaminate or expand the provider's dataset beyond the advertised purpose.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill metadata presents this as a celebrity-identification tool, but the code also exposes mutation operations against the remote Face8 service: registering new faces and confirming suggested matches. This creates a scope mismatch that can cause users or higher-level agents to trigger unintended state-changing actions on a third-party biometric database, which is especially sensitive given the facial-recognition context.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The register() path allows uploading a face token and name to create or modify entries in a remote facial-recognition database, even though the advertised use case is only identification. In a biometric system, unauthorized or accidental enrollment can poison the dataset, create privacy/compliance issues, and persistently change recognition outcomes for future users.

Context-Inappropriate Capability

Low

Confidence: 90% confidence
Finding: The confirm() function performs a state-changing confirmation of a suggested identity match in the remote service, which goes beyond passive recognition. This can bias or corrupt the provider's matching data and may wrongly reinforce false matches, with downstream privacy and accuracy consequences in a facial-recognition system.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill uploads user-supplied images to an external face-recognition API without any visible privacy warning, consent flow, or disclosure of third-party processing. Because photos of faces are highly sensitive biometric data, silent transmission to a remote service increases privacy, legal, and trust risks, especially when users may assume local-only processing.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal