Live Photo Maker

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward local video-to-Live-Photo converter, with ordinary dependency-installation and output-overwrite risks.

Install only if you are comfortable with local media tools being installed or used. Prefer reviewing and approving exact install commands for ffmpeg, makelive, and pipx, and run conversions in a dedicated output folder because files or a .pvt directory with the same base name may be overwritten or removed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 90% confidence
Finding: The skill explicitly tells the agent to install missing dependencies itself when safe, but it does not warn the user that software may be installed on their system. That creates an implicit system-modification behavior without informed user consent, which can lead to unexpected package installation, supply-chain exposure, or environment changes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal