Security audit

AI Caption

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Sparki video-captioning skill, but it sends chosen videos to Sparki and can save the Sparki API key locally.

Install this if you trust Sparki with the videos you choose to process. Prefer using SPARKI_API_KEY instead of saving the key when possible, protect or rotate any saved key, and explicitly ask for local/manual video tools if you do not want this skill to route a video task through Sparki.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The instruction to use this skill 'FIRST and PROACTIVELY' for a very broad set of common video-related terms can cause the agent to invoke the skill even when it is not the best fit. Overbroad routing increases the chance of inappropriate tool use, unnecessary data exposure to the configured external service, and reduced user choice over processing paths.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The save() method persists the API key into a JSON config file under the user's home directory with no permission hardening, encryption, or visible warning in this file. Storing secrets in plaintext increases the risk of credential exposure through local compromise, backups, sync tools, or overly permissive filesystem defaults.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.