Security audit

Local Auto Emoji

Security checks across malware telemetry and agentic risk

Overview

This emoji skill mostly matches its purpose, but it needs review because it stores personal avatars and chat snippets and depends on undeclared external image-generation code.

Install only if you are comfortable with this skill saving avatar images and generated emojis under its public assets area, keeping short local emotion-history logs, and using an external Qwen/DashScope generation path. Review or remove the undeclared projects/getemoji dependency, clear bundled user/path indexes, and add explicit controls for consent, logging, retention, and deletion before broad use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 81% confidence
Finding: The skill documentation explicitly states 'No configuration needed' and does not declare permissions, yet the described functionality includes local storage under `assets/public/` and version cleanup, which implies file read/write behavior. Undeclared capabilities reduce transparency and prevent users or hosting frameworks from making informed trust decisions about what the skill can access or modify.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The documented purpose presents a simple emotion-based emoji system, but the analyzed behavior includes gated access for a specific user/channel, external image-generation integration, and persistent storage of emotion history, user settings, and version indexes. This mismatch is security-relevant because hidden access control logic, external service calls, and undisclosed persistence materially change the trust model and may expose user data or create unfair/opaque behavior.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: Using an everyday greeting like '你好' as a first-use activation trigger is overly broad and can cause the skill to activate unintentionally in normal conversation. Because activation leads to avatar solicitation and downstream image generation, accidental triggering can expose users to unwanted data collection or confusing autonomous behavior.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The phrase '根据关键词、外部因素、历史惯性判断情绪' describes a broad, ambiguous automatic trigger model with little indication of boundaries or user control. In context, this means the skill may react based on conversation history or unspecified external signals, increasing the chance of surprise activation, profiling, or behavior users did not knowingly authorize.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The feature list and usage flow mention requesting a user's avatar and generating personalized emoji images, but the description does not clearly warn about collection, processing, storage, or possible transmission of avatar data to an external image service. Avatar images are personal data, so silent or under-disclosed collection and generation creates privacy and consent risks.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The module persists conversation-derived context to a local JSON log file, including timestamps, triggers, and up to 200 characters of message content, without any consent, notice, retention controls beyond truncation, or file permission hardening. In a local agent skill, chat content often contains sensitive personal or work information, so silent persistence increases privacy risk and can expose data to other local users, backups, or malware that reads application files.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The code stores and processes a user-supplied avatar immediately via create_version() and then launches emoji generation, without an explicit privacy notice or consent step in this path. Because avatars are sensitive personal data, silent persistence and transformation increase privacy risk, especially since files are kept under assets/public and may be reused later.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal