Security audit

Chanjing Content Creation Skill

Security checks across malware telemetry and agentic risk

Overview

This media-creation skill mostly matches its stated purpose, but it should be reviewed carefully because it handles Chanjing credentials and account actions with weak host, path, and confirmation boundaries.

Install only if you trust this Chanjing workflow with your APP_ID/SECRET_KEY and media/account operations. Keep CHANJING_API_BASE pointed at the official Chanjing API, do not set CHANJING_ENV_FILE to shared or synced paths, review output directories before sharing, and require explicit confirmation before deleting custom digital people or starting costly/non-interactive renders.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (40)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: cmd = [sys.executable, str(script_path(skill_name, script_name)), *(args or [])] # 默认沿用调用方当前工作目录，确保相对输出路径落在用户当前路径。 effective_cwd = cwd or Path.cwd() proc = subprocess.run( cmd, cwd=str(effective_cwd), text=True,
Confidence: 89% confidence
Finding: proc = subprocess.run( cmd, cwd=str(effective_cwd), text=True, capture_output=True, check=False, )

Tainted flow: 'req' from os.environ.get (line 66, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: """GET file_detail；API 业务错误返回 (None, msg)，网络异常向上抛出。""" url = f"{API_BASE}/open/v1/common/file_detail?id={urllib.parse.quote(file_id)}" req = urllib.request.Request(url, headers={"access_token": token}, method="GET") with urllib.request.urlopen(req, timeout=30) as resp: body = json.loads(resp.read().decode("utf-8")) if body.get("code") != 0: return None, str(body.get("msg", "file_detail failed"))
Confidence: 92% confidence
Finding: with urllib.request.urlopen(req, timeout=30) as resp:

Tainted flow: 'req' from os.environ.get (line 66, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: qs = urllib.parse.urlencode({"service": service, "name": name}) url = f"{API_BASE}/open/v1/common/create_upload_url?{qs}" req = urllib.request.Request(url, headers={"access_token": token}, method="GET") with urllib.request.urlopen(req, timeout=30) as resp: body = json.loads(resp.read().decode("utf-8")) if body.get("code") != 0: return None, str(body.get("msg", body))
Confidence: 95% confidence
Finding: with urllib.request.urlopen(req, timeout=30) as resp:

Tainted flow: 'req' from os.environ.get (line 40, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: url = f"{API_BASE}{path}{suffix}" req = urllib.request.Request(url, headers={"access_token": token}, method="GET") try: with urllib.request.urlopen(req, timeout=timeout) as resp: body = json.loads(resp.read().decode("utf-8")) except Exception as exc: raise SkillHTTPError(str(exc)) from exc
Confidence: 93% confidence
Finding: with urllib.request.urlopen(req, timeout=timeout) as resp:

Tainted flow: 'req' from os.environ.get (line 40, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: method="POST", ) try: with urllib.request.urlopen(req, timeout=timeout) as resp: body = json.loads(resp.read().decode("utf-8")) except Exception as exc: raise SkillHTTPError(str(exc)) from exc
Confidence: 93% confidence
Finding: with urllib.request.urlopen(req, timeout=timeout) as resp:

Tainted flow: 'req' from os.environ.get (line 301, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: def download_url(url: str, dest: Path) -> None: with DOWNLOAD_SEM: req = urllib.request.Request(url, method="GET") with urllib.request.urlopen(req, timeout=300) as resp: dest.write_bytes(resp.read())
Confidence: 94% confidence
Finding: with urllib.request.urlopen(req, timeout=300) as resp:

Tainted flow: 'ENV_FILE' from os.environ.get (line 13, credential/environment) → pathlib.Path.write_text (file write)

Medium

Category: Data Flow
Content: def _write_env_file(values): ENV_FILE.parent.mkdir(parents=True, exist_ok=True) lines = [f"{key}={values[key]}" for key in sorted(values.keys())] ENV_FILE.write_text("\n".join(lines) + ("\n" if lines else ""), encoding="utf-8") try: os.chmod(ENV_FILE, 0o600) except OSError:
Confidence: 90% confidence
Finding: ENV_FILE.write_text("\n".join(lines) + ("\n" if lines else ""), encoding="utf-8")

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill declares significant capabilities in prose and metadata—environment access, local credential file reads/writes, outbound HTTPS, subprocess execution, and possible browser launch—but does not provide an explicit permission model for users or the runtime to enforce. This creates a transparency and governance gap: the skill can perform sensitive actions once routed, and users may not understand or approve the full side-effect surface before activation.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The prompt introduces mandatory web-search behavior for identifiable people and recent hot topics, expanding the skill from script generation into live data retrieval without clearly scoping trust, source quality, privacy, or safety constraints. This can cause the agent to fetch unverified or sensitive information, amplify rumors, or process personal data in a stage that otherwise appears to be a content-writing template.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The template hard-codes a default ethnicity anchor of 'East Asian' whenever the prompt does not uniquely specify ethnicity. This introduces demographic bias and causes the system to infer and enforce a protected characteristic without user request, which is outside the stated generic content-creation routing purpose and can systematically skew outputs.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The historical-scene rules default ambiguous content into a Chinese-civilization framing and East Asian facial features absent explicit user direction. That expands the skill from content generation into unsolicited cultural/ethnic steering, which can misrepresent subjects and encode a region-specific bias across generated historical content.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The description includes broad trigger phrases such as '做一个短视频' that can match common everyday requests, causing the skill to activate in situations where the user may only want generic advice rather than this specific external-service workflow. Because this skill can lead to credential checks, network access, local file writes, and subprocesses via subskills, overbroad activation increases the risk of unintended side effects and accidental data disclosure to a third-party API.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The route map includes vague phrases like '做一个 xx 视频' under one-click video creation, which may capture many ordinary user requests outside the intended platform scope. In this skill's context, misrouting is more dangerous than usual because successful activation can cascade into authentication flows, network calls, downloads, and local processing through child skills.

Missing User Warnings

Medium

Confidence: 76% confidence
Finding: When credentials are missing, the code may open a browser or run a login helper automatically without an explicit confirmation step. In an agent setting, unexpected browser launch is a side effect that can surprise users, leak context through navigation, or be abused for nuisance/phishing flows if surrounding components are compromised.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The framework executes local skill scripts without visible disclosure at the execution point. In an agent context with side effects, hidden command execution reduces user awareness and can make misuse or unexpected operations harder to detect, especially because cwd and args can influence file outputs and behavior.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The manifest describes this as a routing entry point that can invoke multiple media-generation capabilities, but it does not define concrete activation triggers or tighter invocation constraints. In an agent environment, broad or ambiguous activation can cause the skill to run on loosely related user requests, expanding access to network, filesystem, browser-auth, and subprocess capabilities beyond what is necessary.

Missing User Warnings

Low

Confidence: 94% confidence
Finding: The skill explicitly instructs the agent to perform web searches, gather public discussion data, and record external image URLs for later processing, but the skill metadata/description does not clearly warn users that external content will be collected and fed into downstream generation steps. This creates a transparency and consent problem: users may not realize their prompt can trigger network retrieval and reuse of third-party content, which can introduce privacy, copyright, and provenance risks.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly defaults to `execution_mode=non_interactive_render` and instructs the agent to directly generate and deliver `final_one_click.mp4`, `workflow_result.json`, and `work/` artifacts without an explicit user warning or confirmation about file creation, local writes, downloads, subprocess use, or returning potentially sensitive intermediate artifacts. In a skill that performs rendering, credential use, local file operations, and ffmpeg subprocess execution, this increases the risk of surprising side effects, unintended disk writes, and accidental disclosure of intermediate data.

Natural-Language Policy Violations

Medium

Confidence: 92% confidence
Finding: The schema explicitly encodes a default preference for selecting 'young digital humans' when the user has not opted into any age-related attribute. This creates a biased default that can lead to inappropriate persona selection, discriminatory behavior, and compliance or reputational issues, especially in a content-generation system that may automatically produce user-facing media.

Natural-Language Policy Violations

Medium

Confidence: 86% confidence
Finding: The template hard-codes a China-default cultural/geographic framing when the user has not requested it, which can silently steer outputs toward a specific national viewpoint. In a content-generation pipeline, this creates systemic bias and can misrepresent user intent or produce politically/culturally loaded outputs without explicit consent.

Natural-Language Policy Violations

Medium

Confidence: 91% confidence
Finding: The template requires East Asian facial/identity attributes to be inferred and enforced for people in scenes based on contextual guesswork rather than explicit user instruction. This is dangerous because it operationalizes protected-attribute inference and can lead to stereotyped or exclusionary depictions at scale, especially in automated media generation.

Natural-Language Policy Violations

High

Confidence: 97% confidence
Finding: This section mandates East Asian ethnicity-specific output without user opt-in, requiring the agent to inject protected-attribute descriptors into prompts. In a broad content-creation skill, that creates a systematic policy-level bias affecting many outputs, increasing the risk of discriminatory or misleading generations at scale.

Natural-Language Policy Violations

High

Confidence: 95% confidence
Finding: The historical-content section enforces Chinese/East Asian defaults for people, dress, and civilization markers even when the user did not opt in. This can overwrite user intent, distort historical representation, and produce culturally biased outputs across a wide set of ambiguous prompts.

Natural-Language Policy Violations

High

Confidence: 98% confidence
Finding: The reasoning logic explicitly instructs the system to apply East Asian/China-context defaults when the text is insufficient to infer ethnicity or civilization. That means ambiguity is resolved by assigning protected characteristics and a specific cultural context, creating a repeatable biased decision rule rather than an isolated wording issue.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The examples encourage downloading remote content to the local filesystem without warning about trust, destination control, or validation of the source URL. In the context of a skill that explicitly downloads results locally, this can normalize unsafe handling of attacker-controlled URLs or files and increase the risk of writing untrusted content to disk, potentially leading to malicious file placement or user-assisted execution.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.