Back to skill

Security audit

appearance score

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it sends a user-provided face photo to Synerunify to return appearance scores, with no hidden code or persistence found.

Install only if you are comfortable sending photos, potentially including faces, to Synerunify for processing. Avoid submitting images of other people unless you have appropriate permission, and treat the service's retention and privacy practices as unspecified by this skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to upload a user-supplied photo to an external third-party API for appearance scoring without any explicit user warning, consent checkpoint, or privacy notice. Because face images are highly sensitive biometric/personal data, silent transmission to an outside service can violate user expectations, privacy requirements, or platform policy even if the API itself is legitimate.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.