Back to skill

Security audit

Corporate Portrait Generator

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: send a user-chosen photo to a disclosed portrait-generation API and return an image URL.

Install only if you are comfortable sending the selected photo and prompt to wsdsocial.com using your API key. Avoid uploading photos of other people without consent, and check the provider's privacy and retention terms if the images are sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill asks users to provide personal photos and sends them to a third-party API for processing, but the documentation does not clearly warn about the privacy implications of uploading biometric/personal image data off-platform. This can lead users to unknowingly disclose sensitive personal information, especially because the service accepts direct photo URLs and base64 image uploads and returns processed image URLs.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.