🎬 观影小管家

Security checks across malware telemetry and agentic risk

Overview

This movie assistant is purpose-aligned, but it needs review because it ships real-looking API/server defaults, can leak an Emby token to third-party movie APIs, and stores private viewing/context data in plaintext.

Review before installing. Use only your own least-privilege TMDB/Emby keys, replace and rotate any shipped keys, and do not run the current code with an Emby token until Emby headers are restricted to Emby URLs only. Treat movie-memory.md as private because it can store viewing history, ratings, feelings, mood, and work context; avoid shared machines unless you are comfortable with that plaintext record.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (24)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The README exposes operational infrastructure details and explicitly instructs users to configure and use credentials for an internal Emby service. Even though the Emby API key itself is blank, the combination of a live private IP, service port, username, and setup guidance materially lowers the barrier to unauthorized access attempts and expands the attack surface beyond a simple movie-recommendation skill.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The skill loads credentials from a parent .env file and immediately configures access to a local Emby server and third-party movie APIs without any declared scope, consent flow, or manifest context. In an agent setting, this grants the skill access to local network resources and secrets that may exceed its intended privilege boundary, enabling unauthorized data access and lateral exposure of a private media server.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The code synchronizes and persists Emby watch history into a local markdown file, creating a durable record of personal viewing behavior. Persistent storage of behavioral data is sensitive because it can reveal habits, preferences, and timelines, and the skill does this automatically without clear retention controls or user consent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly says it will record the user's mood, work status, topic interests, and viewing feedback for future recommendations, but it provides no notice about what is stored, how long it is retained, or who can access it. This creates a privacy risk because it involves ongoing collection of behavioral and potentially sensitive personal context without informed consent or data-minimization boundaries.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill describes analyzing Emby server content and using Emby API access to improve recommendations, but it does not warn users that their media library or server metadata may be queried. Querying personal server/library data without transparent disclosure can expose viewing habits, library contents, and other personal preference information beyond what users reasonably expect.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill describes collecting viewing history, ratings, mood, work status, and preference data, and combining that with Emby account access, but provides no privacy notice, retention policy, or consent language. This creates a real privacy risk because sensitive behavioral profiling data could be stored or exposed without users understanding what is collected and how it is used.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger examples are broad natural-language phrases such as asking for recommendations, which can easily overlap with ordinary conversation. In an agent environment, this raises the chance of unintended skill activation and actions such as querying external services or influencing stored preference data without a clear opt-in boundary.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The background-recording examples treat ordinary statements about mood, workload, and interests as skill inputs, making it likely that routine chat could be interpreted as data to persist. This creates a consent and privacy problem because sensitive contextual state may be captured or used for future recommendations without an explicit save request.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation says a local memory file will be automatically created for viewing records and preferences, but it does not clearly warn the user at the point of use that their inputs will be written to disk. Silent persistence of personal history and preferences is a data-retention risk, especially on shared machines or systems with weak local protections.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill encourages users to provide mood, work status, and preference information to improve recommendations, but does not explain how this personal data will be stored, used, or protected. Even if not highly regulated data, these details are sensitive behavioral signals that can expose habits and emotional state if retained or disclosed.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Sensitive viewing history is written to disk without a user-facing warning, creating silent persistence of private behavioral data. Even if the file is local, this increases privacy risk because other processes, backups, or users on the host may access a detailed record of watched titles and dates.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill persists user ratings and free-text feelings to a local file without clearly telling the user that this preference data will be retained. Free-text impressions can contain more personal information than expected, so undisclosed storage creates avoidable privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The skill stores mood, work status, and interests persistently, which are sensitive contextual attributes that can reveal personal circumstances beyond movie preferences. Collecting and retaining this data without explicit privacy notice or consent is risky because it enables profiling and may expose intimate behavioral context if the file is accessed.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrase says that every time the user says a natural sentence like 'watched XXX, felt XXX, rated X', the system will automatically record it. Because this trigger is broad and embedded in ordinary conversation, the skill may capture and persist user data when the user did not clearly intend to invoke logging, leading to surprise collection and profiling.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill states that AI will learn user preferences and recommend content based on records, but it provides no notice about what data is stored, how long it is kept, or how it is used. This creates a privacy risk because users may disclose behavioral and preference data without informed consent, especially when profiling is ongoing.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The background-record section explicitly invites collection of mood, work status, and recent concerns to improve recommendations, which are potentially sensitive personal-context signals. Collecting and storing this information without an explicit warning or consent flow increases the risk of overcollection, profiling, and accidental exposure of personal life details.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: Describing automatic weekly recommendations implies recurring processing of accumulated user records, but the skill does not tell users that stored data will continue to be profiled over time. This is less severe than direct sensitive-data capture, but it still creates a transparency and consent problem around ongoing behavioral analysis.

Ssd 3

High

Confidence: 99% confidence
Finding: The README contains a plaintext TMDB API key and internal service connection details, including a private Emby URL and username. Hardcoded secrets and environment-specific endpoints in public or shareable documentation can be harvested for abuse, lead to unauthorized API consumption, and reveal internal network topology that assists further targeting.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs persistent recording of viewing history, ratings, impressions, and preferences in a local memory file. This is a genuine data-retention behavior that can accumulate personally revealing information over time, especially when combined with dates and inferred interests.

Ssd 3

Medium

Confidence: 94% confidence
Finding: Tracking mood and workload as background context extends storage beyond media preferences into sensitive personal-state data. In context, this makes the skill more dangerous because the data is not merely entertainment metadata; it can reveal emotional patterns and daily routines that users may not expect to be retained.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The examples directly encourage users to supply impressions, interests, mood, and work status for improved recommendations, normalizing collection of sensitive free-form data. Because these are natural conversational phrases, users may disclose more than intended and the agent may retain it without a clear transactional boundary.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The documented memory file structure shows systematic logging of dated viewing history, ratings, subjective impressions, and aggregated preference profiles. This creates a durable behavioral dossier whose sensitivity increases over time, particularly if stored in plaintext or on a host shared with other tools or users.

Ssd 3

Medium

Confidence: 92% confidence
Finding: The statement that every qualifying movie report will be automatically recorded creates persistent collection of user-provided data with no visible limits on scope, retention, or review. In this skill context, that is dangerous because normal conversation about entertainment preferences can silently become a long-term behavioral log.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The skill encourages recording emotional state and work status in a background section to improve recommendations, which goes beyond ordinary movie tracking into sensitive personal profiling. In this context, the data is not essential to the core function and therefore increases privacy risk without a strong justification.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal