Test Skill 3

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed creative media automation skill that uses configured AI providers and local output files, with no hidden or destructive behavior found.

Install only if you are comfortable letting the skill send prompts, briefs, and selected media inputs to the configured AI providers and consume API credits. Avoid putting secrets or confidential campaign details in prompts, use dry-run for full pipelines first, and review output directories and task logs when handling sensitive work.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

External Transmission

Medium

Category: Data Exfiltration
Content: --argjson influence "$INFLUENCE" \ '{text: $text, duration_seconds: $duration, loop: $loop, prompt_influence: $influence}') local endpoint="https://api.freepik.com/v1/ai/sound-effects" if [[ "$DRY_RUN" == "true" ]]; then json_output "$(json_build command="curl -s -X POST '${endpoint}' ..." provider="$SELECTED" model=sound-effects dry_run=true)"
Confidence: 95% confidence
Finding: https://api.freepik.com/

External Transmission

Medium

Category: Data Exfiltration
Content: local api_key api_key=$(get_provider_key elevenlabs) local endpoint="https://api.elevenlabs.io/v1/sound-generation" local payload payload=$(jq -n \
Confidence: 95% confidence
Finding: https://api.elevenlabs.io/

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal