shellbot-creative

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed creative-media pipeline that sends prompts and media instructions to external generation providers when the user chooses to run those workflows.

Install only if you are comfortable sending creative briefs, prompts, image URLs, narration text, and related project details to external AI providers such as Freepik, fal.ai, or inference.sh. Review generated shell plans before running them, especially for confidential launches or customer data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (24)

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The script advertises itself as a local dry run with no API calls, but it emits an executable shell script containing real authenticated curl requests to external providers. That mismatch can mislead operators into approving or distributing generated artifacts that later transmit user-derived prompts and content off-host, creating a trust and data-handling risk.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The file defines multiple outbound API calls that send prompts, narration text, and generation instructions to Freepik using a sensitive API credential, but there is no visible user-facing disclosure, consent gate, or data-handling warning in this artifact. In a creative-production skill, external transmission is expected, but undisclosed transfer of potentially user-supplied creative briefs or voiceover text to a third party still creates privacy, compliance, and surprise-risk concerns.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The manifest embeds command hints that send user-provided prompts, image URLs, text, and other creative inputs to third-party APIs, but the file contains no indication of user disclosure, consent gating, or data-handling warning. In an agent skill, these hints can normalize silent export of potentially sensitive creative content or personal data to external providers, which is a real privacy and compliance risk even if the transmission is part of intended functionality.

External Transmission

Medium

Category: Data Exfiltration
Content: { "step": "asset_scene_1", "provider": "freepik", "command": "curl -s -X POST https://api.freepik.com/v1/ai/mystic -H 'x-freepik-api-key: $FREEPIK_API_KEY' -H 'Content-Type: application/json' -d '{\"prompt\":\"Create a 45-second product marketing video for an AI note-taking app for founders. Hook scene, 16:9, modern cinematic lighting.\",\"resolution\":\"2k\",\"styling\":{\"style\":\"photo\"}}'" }, { "step": "asset_scene_2",
Confidence: 83% confidence
Finding: curl -s -X POST https://api.freepik.com/v1/ai/mystic -H 'x-freepik-api-key: $FREEPIK_API_KEY' -H 'Content-Type: application/json' -d '{\"prompt\":\"Create a 45-second product marketing video for an AI

External Transmission

Medium

Category: Data Exfiltration
Content: { "step": "asset_scene_1", "provider": "freepik", "command": "curl -s -X POST https://api.freepik.com/v1/ai/mystic -H 'x-freepik-api-key: $FREEPIK_API_KEY' -H 'Content-Type: application/json' -d '{\"prompt\":\"Create a 45-second product marketing video for an AI note-taking app for founders. Hook scene, 16:9, modern cinematic lighting.\",\"resolution\":\"2k\",\"styling\":{\"style\":\"photo\"}}'" }, { "step": "asset_scene_2",
Confidence: 83% confidence
Finding: https://api.freepik.com/

External Transmission

Medium

Category: Data Exfiltration
Content: { "step": "asset_scene_2", "provider": "freepik", "command": "curl -s -X POST https://api.freepik.com/v1/ai/mystic -H 'x-freepik-api-key: $FREEPIK_API_KEY' -H 'Content-Type: application/json' -d '{\"prompt\":\"Create a 45-second product marketing video for an AI note-taking app for founders. Pain scene, 16:9, modern cinematic lighting.\",\"resolution\":\"2k\",\"styling\":{\"style\":\"photo\"}}'" }, { "step": "asset_scene_3",
Confidence: 81% confidence
Finding: https://api.freepik.com/

External Transmission

Medium

Category: Data Exfiltration
Content: { "step": "asset_scene_3", "provider": "freepik", "command": "curl -s -X POST https://api.freepik.com/v1/ai/mystic -H 'x-freepik-api-key: $FREEPIK_API_KEY' -H 'Content-Type: application/json' -d '{\"prompt\":\"Create a 45-second product marketing video for an AI note-taking app for founders. Reveal scene, 16:9, modern cinematic lighting.\",\"resolution\":\"2k\",\"styling\":{\"style\":\"photo\"}}'" }, { "step": "asset_scene_4",
Confidence: 81% confidence
Finding: https://api.freepik.com/

External Transmission

Medium

Category: Data Exfiltration
Content: { "step": "asset_scene_4", "provider": "freepik", "command": "curl -s -X POST https://api.freepik.com/v1/ai/mystic -H 'x-freepik-api-key: $FREEPIK_API_KEY' -H 'Content-Type: application/json' -d '{\"prompt\":\"Create a 45-second product marketing video for an AI note-taking app for founders. Features scene, 16:9, modern cinematic lighting.\",\"resolution\":\"2k\",\"styling\":{\"style\":\"photo\"}}'" }, { "step": "asset_scene_5",
Confidence: 81% confidence
Finding: https://api.freepik.com/

External Transmission

Medium

Category: Data Exfiltration
Content: { "step": "asset_scene_5", "provider": "freepik", "command": "curl -s -X POST https://api.freepik.com/v1/ai/mystic -H 'x-freepik-api-key: $FREEPIK_API_KEY' -H 'Content-Type: application/json' -d '{\"prompt\":\"Create a 45-second product marketing video for an AI note-taking app for founders. Proof scene, 16:9, modern cinematic lighting.\",\"resolution\":\"2k\",\"styling\":{\"style\":\"photo\"}}'" }, { "step": "asset_scene_6",
Confidence: 81% confidence
Finding: https://api.freepik.com/

External Transmission

Medium

Category: Data Exfiltration
Content: { "step": "asset_scene_6", "provider": "freepik", "command": "curl -s -X POST https://api.freepik.com/v1/ai/mystic -H 'x-freepik-api-key: $FREEPIK_API_KEY' -H 'Content-Type: application/json' -d '{\"prompt\":\"Create a 45-second product marketing video for an AI note-taking app for founders. CTA scene, 16:9, modern cinematic lighting.\",\"resolution\":\"2k\",\"styling\":{\"style\":\"photo\"}}'" }, { "step": "asset_scene_7",
Confidence: 81% confidence
Finding: https://api.freepik.com/

External Transmission

Medium

Category: Data Exfiltration
Content: { "step": "asset_scene_7", "provider": "freepik", "command": "curl -s -X POST https://api.freepik.com/v1/ai/mystic -H 'x-freepik-api-key: $FREEPIK_API_KEY' -H 'Content-Type: application/json' -d '{\"prompt\":\"Create a 45-second product marketing video for an AI note-taking app for founders. Hook scene, 16:9, modern cinematic lighting.\",\"resolution\":\"2k\",\"styling\":{\"style\":\"photo\"}}'" }, { "step": "asset_scene_8",
Confidence: 80% confidence
Finding: https://api.freepik.com/

External Transmission

Medium

Category: Data Exfiltration
Content: { "step": "asset_scene_8", "provider": "freepik", "command": "curl -s -X POST https://api.freepik.com/v1/ai/mystic -H 'x-freepik-api-key: $FREEPIK_API_KEY' -H 'Content-Type: application/json' -d '{\"prompt\":\"Create a 45-second product marketing video for an AI note-taking app for founders. Pain scene, 16:9, modern cinematic lighting.\",\"resolution\":\"2k\",\"styling\":{\"style\":\"photo\"}}'" }, { "step": "video_scene_1",
Confidence: 80% confidence
Finding: https://api.freepik.com/

External Transmission

Medium

Category: Data Exfiltration
Content: { "step": "video_scene_1", "provider": "freepik", "command": "curl -s -X POST https://api.freepik.com/v1/ai/video/kling-v3-omni-pro -H 'x-freepik-api-key: $FREEPIK_API_KEY' -H 'Content-Type: application/json' -d '{\"prompt\":\"Animate scene 1 with cinematic product motion\",\"duration\":5}'" }, { "step": "video_scene_3",
Confidence: 82% confidence
Finding: https://api.freepik.com/

External Transmission

Medium

Category: Data Exfiltration
Content: { "step": "video_scene_3", "provider": "freepik", "command": "curl -s -X POST https://api.freepik.com/v1/ai/video/kling-v3-omni-pro -H 'x-freepik-api-key: $FREEPIK_API_KEY' -H 'Content-Type: application/json' -d '{\"prompt\":\"Animate scene 3 with cinematic product motion\",\"duration\":5}'" }, { "step": "video_scene_5",
Confidence: 82% confidence
Finding: https://api.freepik.com/

External Transmission

Medium

Category: Data Exfiltration
Content: { "step": "video_scene_5", "provider": "freepik", "command": "curl -s -X POST https://api.freepik.com/v1/ai/video/kling-v3-omni-pro -H 'x-freepik-api-key: $FREEPIK_API_KEY' -H 'Content-Type: application/json' -d '{\"prompt\":\"Animate scene 5 with cinematic product motion\",\"duration\":5}'" }, { "step": "video_scene_7",
Confidence: 82% confidence
Finding: https://api.freepik.com/

External Transmission

Medium

Category: Data Exfiltration
Content: { "step": "video_scene_7", "provider": "freepik", "command": "curl -s -X POST https://api.freepik.com/v1/ai/video/kling-v3-omni-pro -H 'x-freepik-api-key: $FREEPIK_API_KEY' -H 'Content-Type: application/json' -d '{\"prompt\":\"Animate scene 7 with cinematic product motion\",\"duration\":5}'" }, { "step": "voiceover",
Confidence: 82% confidence
Finding: https://api.freepik.com/

External Transmission

Medium

Category: Data Exfiltration
Content: { "step": "voiceover", "provider": "freepik", "command": "curl -s -X POST https://api.freepik.com/v1/ai/voiceover/elevenlabs-turbo-v2-5 -H 'x-freepik-api-key: $FREEPIK_API_KEY' -H 'Content-Type: application/json' -d '{\"text\":\"Replace with stitched scene narration\",\"voice_id\":\"21m00Tcm4TlvDq8ikWAM\"}'" }, { "step": "music",
Confidence: 86% confidence
Finding: https://api.freepik.com/

External Transmission

Medium

Category: Data Exfiltration
Content: { "step": "music", "provider": "freepik", "command": "curl -s -X POST https://api.freepik.com/v1/ai/music-generation -H 'x-freepik-api-key: $FREEPIK_API_KEY' -H 'Content-Type: application/json' -d '{\"prompt\":\"upbeat modern product marketing background music\",\"music_length_seconds\":45}'" } ]
Confidence: 79% confidence
Finding: https://api.freepik.com/

External Transmission

Medium

Category: Data Exfiltration
Content: "required_env": [ "FREEPIK_API_KEY" ], "command_hint": "curl -s -X POST https://api.freepik.com/v1/ai/mystic -H 'x-freepik-api-key: $FREEPIK_API_KEY' -H 'Content-Type: application/json' -d '{\"prompt\":\"...\",\"resolution\":\"2k\"}'" }, "pipeline_sequence": [ "Plan storyboard",
Confidence: 85% confidence
Finding: curl -s -X POST https://api.freepik.com/v1/ai/mystic -H 'x-freepik-api-key: $FREEPIK_API_KEY' -H 'Content-Type: application/json' -d '{\"prompt\":\"...\",\"resolution\":\"2k\"}'" }, "pipel

External Transmission

Medium

Category: Data Exfiltration
Content: "required_env": [ "FREEPIK_API_KEY" ], "command_hint": "curl -s -X POST https://api.freepik.com/v1/ai/mystic -H 'x-freepik-api-key: $FREEPIK_API_KEY' -H 'Content-Type: application/json' -d '{\"prompt\":\"...\",\"resolution\":\"2k\"}'" }, "pipeline_sequence": [ "Plan storyboard",
Confidence: 85% confidence
Finding: https://api.freepik.com/

External Transmission

Medium

Category: Data Exfiltration
Content: "required_env": [ "FREEPIK_API_KEY" ], "command_hint": "curl -s -X POST https://api.freepik.com/v1/ai/image-upscaler-precision-v2 -H 'x-freepik-api-key: $FREEPIK_API_KEY' -H 'Content-Type: application/json' -d '{\"image\":\"https://...\",\"scale\":4}'" }, "pipeline_sequence": [ "Plan storyboard",
Confidence: 92% confidence
Finding: https://api.freepik.com/

External Transmission

Medium

Category: Data Exfiltration
Content: "required_env": [ "FREEPIK_API_KEY" ], "command_hint": "curl -s -X POST https://api.freepik.com/v1/ai/video/kling-v3-omni-pro -H 'x-freepik-api-key: $FREEPIK_API_KEY' -H 'Content-Type: application/json' -d '{\"prompt\":\"...\",\"duration\":5}'" }, "pipeline_sequence": [ "Plan storyboard",
Confidence: 90% confidence
Finding: https://api.freepik.com/

External Transmission

Medium

Category: Data Exfiltration
Content: "required_env": [ "FREEPIK_API_KEY" ], "command_hint": "curl -s -X POST https://api.freepik.com/v1/ai/voiceover/elevenlabs-turbo-v2-5 -H 'x-freepik-api-key: $FREEPIK_API_KEY' -H 'Content-Type: application/json' -d '{\"text\":\"...\",\"voice_id\":\"21m00Tcm4TlvDq8ikWAM\"}'" }, "pipeline_sequence": [ "Plan storyboard",
Confidence: 94% confidence
Finding: https://api.freepik.com/

External Transmission

Medium

Category: Data Exfiltration
Content: "required_env": [ "FREEPIK_API_KEY" ], "command_hint": "curl -s -X POST https://api.freepik.com/v1/ai/music-generation -H 'x-freepik-api-key: $FREEPIK_API_KEY' -H 'Content-Type: application/json' -d '{\"prompt\":\"upbeat cinematic\",\"music_length_seconds\":30}'" }, "pipeline_sequence": [ "Plan storyboard",
Confidence: 84% confidence
Finding: https://api.freepik.com/

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal