AI Music Video

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed, purpose-aligned music-video generator that uses paid AI APIs and local FFmpeg, with no evidence of hidden persistence, credential theft, or unrelated data access.

Install only if you are comfortable running local shell/FFmpeg workflows with AI-provider API keys that can spend credits. Use --dry-run first, keep provider keys scoped, leave SUNO_CALLBACK_URL at the default unless you control the HTTPS endpoint, and be aware the assembly script appears to have a shell syntax issue that may need fixing before the full workflow runs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 77% confidence
Finding: The quick-start examples are broad natural-language requests that could cause the skill to trigger on ambiguous user utterances without clear boundaries. In a skill that performs paid API calls, shell execution, downloads/uploads, and media generation, over-broad triggering can lead to unintended spending, unexpected external requests, and execution of a more powerful workflow than the user intended.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal