Fashion Video Creator

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is coherent for creating fashion video assets, with disclosed external AI-service use and no evidence of hidden persistence or destructive behavior.

Install only if you are comfortable using a Volcano Engine API key and sending fashion prompts, product imagery, or model details to external generation services. Use a dedicated revocable key, review prompts before generation, watch paid API usage, and override the gendered audience or tone defaults when they do not fit the intended content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (6)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The README suggests very broad natural-language trigger phrases like “帮我做一个穿搭视频” and “Create a fashion video,” which increases the chance the skill is invoked unintentionally for ordinary user requests. In an agent ecosystem, ambiguous activation can route unrelated prompts into a skill that performs external content generation and may process sensitive user-provided details, creating scope confusion and accidental data disclosure to third-party services.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README instructs users to supply a Volcano Engine account/API key and use external Seedream endpoints, but it does not warn that prompts, images, garment descriptions, and potentially personal or proprietary content may be sent to third-party services. This omission can mislead users about privacy expectations and increases the risk of exposing sensitive data, credentials, or commercial assets during use.

Natural-Language Policy Violations

Medium

Confidence: 91% confidence
Finding: The file auto-resolves target audience from garment type and model gender, which applies gender-based assumptions without explicit user opt-in. This can lead to stereotyping, misgendering, and unwanted personalization in generated content, especially in a user-facing creative workflow.

Natural-Language Policy Violations

Medium

Confidence: 94% confidence
Finding: The skill explicitly defines different speech patterns for 'female' and 'male' tones, hard-coding gender stereotypes into output generation. In a production assistant, this can create biased or exclusionary content and reduce user control over persona and voice.

Natural-Language Policy Violations

Low

Confidence: 82% confidence
Finding: The action demeanor section assigns different presentation styles based solely on gender, which enforces gendered behavioral norms without necessity. While lower risk than direct harmful content, it still embeds bias into generated media instructions and may produce exclusionary or stereotyped outputs.

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: The dialogue style matrix hard-codes persona differences across all styles for female versus male speakers, systematically linking communication traits to gender. This increases bias in generated outputs and can propagate stereotyped representations at scale in batch content creation.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal