HeyGen AI Avatar Video (Lite)

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only HeyGen API guide whose API-key use and third-party video generation are expected for its purpose.

Before using it, treat the HeyGen API key as sensitive: avoid committing it, sharing terminal logs or screenshots containing it, and rotate it if exposed. Review any text, avatar, or voice data before sending it to HeyGen, and verify the affiliate signup and premium upsell links independently before paying.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs users to send a live API key in multiple curl requests but provides no warning about credential sensitivity, shell history leakage, logging exposure, or secure storage. While using an API key with the vendor API is expected, the missing handling guidance can lead users to expose reusable credentials in terminals, scripts, screenshots, or shared environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal