Faceswap

Security checks across malware telemetry and agentic risk

Overview

This face-swap skill appears purpose-aligned, but it handles sensitive face/video media through a third-party service without enough privacy or consent disclosure.

Before installing, confirm you have consent and rights for every face and video used, and assume submitted media may be sent to verging.ai for processing. Avoid private, regulated, intimate, or non-consensual content unless the publisher clearly documents privacy, retention, deletion, and acceptable-use controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README advertises support for local files and remote URLs but does not clearly disclose that user-supplied videos and face images are processed by a third-party API service. This can mislead users into uploading sensitive media, including identifiable faces and private videos, without informed consent about data transfer, retention, or external processing.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: This skill performs face swapping on user-provided images and videos, which involves sensitive biometric data and enables deepfake-style manipulation, yet the README provides no warning about consent, legality, or abuse risks. In this context, omission increases the chance of non-consensual or inappropriate use because the capability is specifically designed to alter identity in media.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal