Back to skill

Security audit

Agent Selfie

Security checks across malware telemetry and agentic risk

Overview

The core image generator is coherent, but its heartbeat instructions can change public avatars and write memory without clear per-action approval.

Review before installing if an agent might run HEARTBEAT.md automatically or has tools that can change social profiles. Use it only with explicit approval for each avatar/account update, keep GEMINI_API_KEY secret, avoid sensitive personality files or prompts, and choose an output directory whose saved images and prompts you are comfortable retaining.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill metadata declares runtime requirements and clearly documents use of an API key, local file output, and an external service, but it does not declare corresponding permissions/capabilities. This creates a transparency and policy-enforcement gap: users or orchestration systems may treat the skill as lower-privilege than it actually is, increasing the chance of unintended network access, file writes, and handling of sensitive environment variables.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The heartbeat extends a nominal image-generation skill into external account modification and persistent memory updates. That broadens the skill’s authority from creating images to taking side-effecting actions on third-party services, which can cause unauthorized profile changes or unwanted persistence if the heartbeat runs automatically.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Updating Discord/Twitter/AgentGram avatars is not necessary for basic selfie generation and introduces an unjustified capability escalation. In an automated agent context, this can lead to silent modification of external identities, brand misuse, or repeated unauthorized changes if triggered on a schedule.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The markdown instructs the agent to change third-party avatars without any warning, confirmation step, or discussion of the external side effects. Because heartbeat behavior is periodic, the context makes this more dangerous: a routine content-generation task could repeatedly alter public-facing accounts without a fresh user decision.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The installation guide instructs users to create and export a long-lived `GEMINI_API_KEY` but does not warn that this is a sensitive secret that must not be committed, shared, or logged. In a skill ecosystem where users may copy commands into shell profiles and run debugging tools, lack of credential-handling guidance increases the chance of accidental disclosure and subsequent API abuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documented usage sends personality/style/vibe prompts to Gemini and writes generated images to disk, but the skill does not clearly warn that user-provided data is transmitted to a third-party API or persisted locally. In this context, personality files may contain identifying or sensitive branding information, and scheduled execution increases the risk of repeated unnoticed disclosure and accumulation of artifacts on disk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.