Back to skill

Security audit

Ecommerce Video Script Generator

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned and not malicious, but users should review any upstream instruction fields before letting them influence generated output.

Install only if you are comfortable with upstream content influencing generated results. Treat any selling-point or usage-instruction fields as untrusted input, review generated output before using it, and do not provide credentials or private data unless the skill clearly needs them for the task.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill requires `--details`, `--angle`, and especially upstream `usage_instructions` from `selling_points.json` to be followed 'strictly', even though those fields are untrusted and may contain adversarial prompt content. This weakens prompt-injection defenses and can let upstream or user-controlled text override system intent, manipulate outputs, or smuggle unsafe instructions into downstream AI/video-generation stages.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.