Back to skill

Security audit

portrait-compare

Security checks across malware telemetry and agentic risk

Overview

This skill locally compares two face photos as advertised, but users should treat the images and generated result as sensitive biometric data.

Install only if you are comfortable with a local tool comparing face photos. Use it only on images you are authorized to process, verify any optional ONNX model files before using high-precision mode, delete generated result images such as /tmp/face_result.jpg when finished, and do not rely on the similarity score as the sole basis for important identity decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger text is overly broad and includes common-language phrases such as '帮我看看这两张照片是不是同一个人', which can cause the skill to activate in casual or ambiguous contexts. Because this skill performs biometric face comparison and identity-related inference, over-triggering increases the chance of unauthorized or unintended processing of highly sensitive personal data.

Missing User Warnings

High
Confidence
98% confidence
Finding
This skill handles facial recognition and identity verification, which are high-sensitivity biometric operations, but the description does not warn users about the privacy, legal, and misuse risks. Without explicit notice and consent framing, users may unknowingly submit biometric data for identity inference, creating significant privacy, compliance, and abuse exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.