Security audit

AI Photos

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-aligned, but it automatically downloads and runs an unpinned external CLI and can add ongoing photo indexing automation.

Install only if you trust the GitHub project that publishes the ai-photos CLI and are comfortable letting it process the photo folders you choose. Prefer a pinned and verified CLI release, review any HEARTBEAT.md changes before enabling automatic indexing, and avoid remote gallery access unless you understand the network exposure.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The skill instructs the agent to download and execute a binary from a GitHub 'latest' release on every task, which creates a software supply-chain risk and enables remote code execution if the upstream repository, release process, or transport path is compromised. This is especially dangerous because it occurs automatically during normal use of a photo-indexing skill and is not pinned to a specific version, checksum, or trusted signature.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill establishes persistent automation by configuring heartbeat behavior and modifying workspace state beyond the immediate photo task, which expands its operational scope and persistence. Even if intended for auto-indexing, persistence mechanisms can be abused to run recurring actions, alter future agent behavior, or maintain access without sufficiently explicit consent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill causes network access and local installation of an executable without a clear user-facing warning or consent flow for those system modifications. Hidden downloads and installs reduce user control and can lead to unexpected code execution, especially in environments where users believe they are only setting up a local photo album.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill directs the agent to create or modify HEARTBEAT.md without prominently warning the user that a workspace file will be changed to enable ongoing automation. Silent modification of shared configuration can surprise users, interfere with other tasks, and create durable behavior changes that outlive the immediate photo setup.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.