Json To Jianying Description

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only skill for turning a specific video-material JSON format into a Jianying video description, with no code execution or credential access.

Before installing, confirm that this Chinese-language Jianying workflow and the referenced asset-download domain are appropriate for your environment. Avoid feeding private media URLs or OSS keys unless the downstream video system is intended to receive them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger phrases are broad enough to match ordinary requests like 'help me make a video,' which can cause this skill to activate outside its narrow JSON-to-description purpose. That creates routing confusion and may lead the agent to mishandle unrelated user requests, reducing reliability and potentially exposing internal transformation behavior when the required JSON structure is absent.

Natural-Language Policy Violations

Medium

Confidence: 82% confidence
Finding: The skill description is written to enforce Chinese-language behavior without documenting that this restriction is required by the task or allowing user preference. While not a direct security flaw, this can cause incorrect handling of multilingual inputs and unintended activation or output behavior in contexts where language choice matters.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal