Viral Script Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a content-generation guide, but its paid API flow sends user requests and payment credentials to a raw, unencrypted HTTP IP address.

Review this before installing or using it. Do not send sensitive prompts, personal data, or payment credentials through the documented endpoint unless the publisher provides an HTTPS domain with clear payment security guarantees.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill explicitly instructs users to submit requests and payment-related data over plain HTTP to a raw IP address, which provides no transport security or server identity verification. This enables man-in-the-middle interception or modification of prompts, payment metadata, and returned content, and is especially risky because the endpoint is used in a payment flow.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal