Security audit

Ecommerce Video Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed e-commerce video payload/API workflow with external submission only when requested, though users should be aware product images and script text may be sent to third-party services.

Use preview mode first for sensitive or unreleased product material. Only run `--submit` when you are comfortable sending the storyboard prompt, product reference image, and related payload details to the configured AIGC service, and review any third-party API terms before using real customer or proprietary assets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill supports a `--submit` mode that sends the generated prompt/script and product reference image to an external AIGC API, but the documentation does not clearly warn users at the point of use that local content will leave the environment. This can lead to unintentional disclosure of sensitive product assets, unreleased marketing copy, or proprietary business data, especially because the workflow is designed to process real e-commerce materials and the submission action is only briefly described as a mode switch.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.