Back to skill

Security audit

AI SaaS Demo Script

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only guide for making SaaS demo videos; it may involve private UI captures, but I found no hidden code, persistence, or destructive behavior.

Install is reasonable for demo-script and storyboard work. When using it with private products, avoid production customer data, secrets, API keys, passwords, session cookies, or internal identifiers; use screenshots, static exports, demo data, or a temporary read-only test account wherever possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guidance explicitly tells the agent to capture real UI text, screenshots, tables, dashboards, timestamps, permissions, and other trust cues, which can include sensitive customer, operational, or security-relevant data. In a website-to-video pipeline, those captures may be stored, reused in storyboards, or rendered into output assets, creating a realistic risk of privacy leakage or unintended disclosure if no sanitization, minimization, or consent checks are required.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.