Lindsay Selfie

Security checks across malware telemetry and agentic risk

Overview

This skill appears to create identity-based selfie images, but its triggers and disclosure are too broad for that sensitive behavior.

Install only if you intentionally want this skill to generate selfie-style images using local identity reference photos. Before using it, verify what reference images it reads, where generated photos are saved, and whether it requires explicit confirmation before creating or storing any identity-based image.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

High

Confidence: 95% confidence
Finding: The trigger phrases are broad enough to activate on ordinary conversational prompts like 'what are you doing?' or 'where are you?', causing the skill to generate and save a selfie-style image without a clearly scoped user request. In this skill’s context, that is more dangerous because it automatically uses a local identity pack of 14 reference images and writes output to disk, increasing the chance of unintended identity-image generation and privacy-impacting behavior.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill does not warn users that it accesses a local face/identity pack and saves generated photos to a local gallery path. That omission undermines informed consent and transparency, especially since the asset set appears to be persistent identity-reference data used to synthesize a consistent likeness.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal