I Love You Mom

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-built for Mixtiles automation, but it can read private WhatsApp photos, upload selected family images to third parties, and send a WhatsApp link without a clear review step.

Install only if you are comfortable granting the agent access to the specified WhatsApp group and letting selected photos leave local/WhatsApp storage for the Mixtiles/Cloudinary cart flow. Review the dependent mixtiles-it script first, set the group and recipient variables narrowly, and add a manual confirmation step before any upload or WhatsApp send.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill processes private family photos from a WhatsApp group and uploads them to Cloudinary as part of cart generation, but it does not prominently warn the user that images will be transmitted to a third party. In this context, the data is highly personal, and silent external upload creates a meaningful privacy and consent risk for everyone depicted in the photos, not just the operator.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal