LovelyBots

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed LovelyBots video-generation workflow, with the main caution that submitted media and public share links should be treated as sensitive.

Install only if you trust LovelyBots to process the scripts and images you provide. Do not submit confidential, regulated, or non-consensual likeness data unless you have reviewed the vendor terms; protect LOVELYBOTS_API_KEY; monitor credit usage; and treat share_url values as public or bearer-style links.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly recommends surfacing `share_url` to the user during processing, but elsewhere describes it as a public shareable page URL. Public links can bypass intended access controls and expose in-progress or completed generated media, job identifiers, and associated content to unintended recipients if shared in logs, chats, or multi-tenant agent traces.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal