Back to skill

Security audit

muapi-cinema-director

Security checks across malware telemetry and agentic risk

Overview

This video-generation skill uses a local helper and an external model API in a way that fits its stated purpose, but users should expect prompts and media to leave their machine and may incur provider costs.

Install only if you are comfortable providing the required API key and sending prompts or media to the video provider. For private or costly projects, ask the agent to show the exact command and estimated cost before submitting a generation job.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs the agent to run a local shell script and describes submitting prompts to external video-generation models, but it does not clearly disclose these side effects or require user confirmation. In an agent setting, hidden command execution and external data transfer can cause unintended local actions, privacy exposure, and surprise costs, especially if user-provided content is sent off-box.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.