九马免费对口型数字人

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its video-generation purpose, but it stores and can print a reusable Jiuma API key in plaintext during login.

Install only if you are comfortable sending your generation inputs to Jiuma and storing a reusable Jiuma API key locally. Avoid this skill on shared or untrusted machines, do not submit sensitive personal or regulated content, verify any login or recharge link before using it, and delete or protect the .jiuma credential files when you are done.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill documents use of file read/write and network operations but does not declare corresponding permissions, which weakens reviewability and least-privilege controls. Hidden or undeclared capabilities make it easier for a skill to access local files, persist data, or contact remote services without explicit operator awareness.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The documented behavior goes beyond simple video generation by driving login flows, saving authentication materials locally, and handling payment-related actions, while also overstating supported features such as audio-to-video. This mismatch can mislead users and reviewers about the true trust boundary, data handling, and account-impacting operations performed by the skill.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill instructs the agent to shepherd users through recharge and login flows when quota is exhausted, expanding from content generation into account and payment orchestration. That creates phishing-like risk, increases chance of inappropriate monetization pressure, and can expose users to credential or financial abuse through externally supplied URLs or QR codes.

Context-Inappropriate Capability

Low

Confidence: 82% confidence
Finding: Exposing qrcode_url and login_url for upsell or feature unlocking is not required for the core generation task and encourages the agent to steer users to external monetization paths. While lower severity than direct credential handling, it still broadens social-engineering surface and normalizes trust in externally provided links.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill asks users to provide text, audio URLs, avatar media URLs, and related content that will be sent to a third-party API, but it does not warn users about external data sharing or privacy implications. This can lead to unintentional disclosure of sensitive personal, biometric, or copyrighted material to the vendor.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The code saves the returned `secret_key` locally via `save_jiuma_api_key(data["secret_key"])` immediately after login without any explicit user disclosure, confirmation, or indication of how and where the credential will be stored. Persisting API credentials silently increases the risk of unintended long-term exposure, especially if the storage location is insecure or shared with other local users/processes.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill persists the Jiuma API key in plaintext to a predictable local path under the project directory without any disclosure, permission hardening, or use of a secure secret store. If the host is shared, compromised, backed up, or the workspace is exposed, the credential can be recovered and used to impersonate the user against the remote API.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The code also writes an authentication-related random string to disk in plaintext at a predictable location, again without user notice or access controls. Depending on how this value is used by the upstream service, theft could enable session reuse, request forgery, or bypass of intended authentication flow, especially in multi-user or agent-hosted environments.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal