Mixtiles Monthly

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it can automatically download private WhatsApp group photos, upload selected photos to third-party services, run an unpinned helper skill, and send a WhatsApp message without a clear review step.

Review this before installing if your WhatsApp group contains private family photos. Configure the exact group and recipient, verify the external mixtiles-it helper script, review selected photos before upload, and add a confirmation step before any WhatsApp message is sent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill processes photos from a WhatsApp group and uploads selected images to Cloudinary as part of generating a Mixtiles cart, but it does not provide a clear user-facing privacy notice or obtain explicit authorization for third-party sharing. This is dangerous because family/group photos may contain sensitive personal data, and participants may not expect their images to be transferred off-platform to external services.

Missing User Warnings

Low

Confidence: 87% confidence
Finding: The skill automatically sends an outbound WhatsApp message containing the generated cart link without an explicit warning or confirmation step. This can lead to unintended messaging, disclosure of purchasing intent or personal content context, and accidental spam or misdelivery if the destination is misconfigured.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal