Back to skill

Security audit

Faces

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent Faces Platform integration, but it needs review because it encourages remote persona-building with sensitive personal data and weak credential-handling examples.

Review before installing. Use it only when you intentionally want content sent to the Faces service, avoid uploading confidential or third-party material without consent, do not provide government identifiers such as SSNs or tax IDs, prefer scoped API keys with budgets and expiry, and avoid typing real passwords directly into command-line examples.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The attribute reference explicitly permits highly sensitive identifiers such as social_security_number and tax_id, which are not necessary for typical persona creation and create disproportionate privacy and identity-theft risk. In the context of a platform that compiles personas from source material, documenting these fields normalizes collection of regulated or extremely sensitive data and increases the chance users will submit it.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documented schema allows broad collection of sensitive demographic, immigration, family, financial, legal, and health-related attributes that exceed what is clearly justified by the skill description. Because this skill centers on building and managing personas, the extensive accepted fields materially increase the risk of profiling, privacy invasion, and creation of detailed dossiers on real people.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The invocation scope is broad enough to trigger on adjacent topics like general chatting, comparisons, uploads, account management, and platform mentions without strong boundary checks. In an agent setting, this can cause the skill to activate when the user did not intend to use Faces, leading to unnecessary remote API usage, accidental handling of sensitive data, or execution of higher-risk account and billing operations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs users to upload files, transcripts, and YouTube content to the Faces service but does not clearly warn that this data is sent to a remote third-party API over the internet. This creates a meaningful privacy and data-governance risk because users may provide sensitive documents or media without informed consent, especially when the skill is auto-invoked by an agent.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The skill includes authentication, API key, billing, and quota management workflows without an explicit warning that these operations involve sensitive credentials and potentially financially impactful actions. In an agent context, this increases the risk of exposing tokens in output, mishandling account secrets, or performing unintended account changes if the skill is invoked too loosely.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document presents accepted attributes, including many sensitive categories, without a prominent privacy warning, data-handling caveat, or guidance about avoiding real personal data. That omission makes accidental oversharing more likely, especially in a user-facing skill for creating personas from source material where users may infer that all listed fields are appropriate to provide.

Missing User Warnings

High
Confidence
99% confidence
Finding
Listing SSN and tax ID as accepted fields, even with a vague '(not recommended)' note, is effectively permission to provide high-value identity data. In a persona-management skill, this is especially dangerous because it can lead to collection, storage, and downstream processing of identifiers that enable identity theft, fraud, and major compliance violations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document instructs users to connect a personal ChatGPT account, states that tokens are stored server-side, and says routing and fallback happen transparently or silently. That combination creates a real security and privacy concern because users may not understand that their account is being persistently linked, that requests may consume their subscription resources, or that requests may fall back to a different credential path without explicit notice.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The quickstart instructs the agent/operator to pass a plaintext password directly on the command line (`--password 'USER_PASSWORD'`). Command-line secrets are commonly exposed through shell history, process listings, terminal logs, transcripts, CI logs, and agent observability systems. In this skill context, the risk is heightened because the guide is designed for interactive agent-assisted onboarding, where credential-bearing commands may be echoed, stored, or replayed by tooling outside the user's control.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.