Back to skill

Security audit

Work Im Avatar Generate

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple avatar-generation API recipe that clearly sends a user-provided photo to wsdsocial.com, with no hidden code or installer behavior found.

Install only if you are comfortable sending the chosen photo, image URL or base64 image data, and your WSD API key to wsdsocial.com. Avoid sensitive photos or images with private background details, and check the provider's data handling terms if retention or reuse matters to you.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly asks users to provide a personal photo and sends it to a remote third-party API, but it does not warn users about the privacy implications of transmitting biometric/personal image data off-platform. This omission can lead users to unknowingly expose sensitive personal data, especially because photos may contain face data, metadata, or other identifying information and are processed by an external service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.