ReelTalk

Security checks across malware telemetry and agentic risk

Overview

ReelTalk is a coherent video transcription helper, with expected network downloads and local temporary media processing.

Install only if you are comfortable with the agent fetching supplied video URLs and related media from third-party services, including fxtwitter for X/Twitter links. Avoid using sensitive private links, expect temporary files under /tmp/reeltalk_* and a Whisper cache under ~/.cache/whisper, and note that ffmpeg may need to be installed separately.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

Low

Confidence: 74% confidence
Finding: The skill sends derived identifiers from user-supplied X/Twitter links to a third-party API (fxtwitter), creating an external data transmission path not clearly disclosed in the main behavior. This increases privacy and supply-chain risk, especially because the returned media URL is trusted enough to drive further downloads.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill performs recursive deletion in /tmp using a wildcard without a user-facing warning or tighter scoping. While limited to /tmp/reeltalk_*, wildcard deletion can remove unrelated files matching that prefix and becomes riskier if other processes or users can create matching paths or symlinks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal