Back to skill

Security audit

Embedded Captions

Security checks across malware telemetry and agentic risk

Overview

This is a coherent video-captioning skill, but it asks for broad local rendering authority and can trigger network-fetched code and global HyperFrames skill updates.

Install only if you are comfortable running HyperFrames media tooling in a controlled workspace. Review or avoid the global `hyperframes init` update behavior, prefer vendored/local GSAP when possible, and expect runtime downloads or network access for models/packages and CDN assets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Context-Inappropriate Capability

Low
Confidence
89% confidence
Finding
The example render imports GSAP from a third-party CDN at runtime, which introduces a supply-chain and integrity risk: whoever controls or tampers with that dependency path can execute arbitrary JavaScript in the rendering context. In this skill's context, the file is an HTML render artifact for a captioning pipeline, so remote script loading is inconsistent with the described local/offline workflow and unnecessarily expands trust boundaries.

Context-Inappropriate Capability

Low
Confidence
95% confidence
Finding
The HTML example imports GSAP from a third-party CDN at runtime, which introduces a supply-chain and availability dependency outside the skill's stated local render pipeline. If the CDN is unavailable or the served asset is tampered with, the render environment could execute untrusted JavaScript during caption generation or preview.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The generated HTML loads GSAP from a third-party CDN at runtime, which creates a supply-chain and availability dependency outside the project’s control. If the CDN asset is unavailable, swapped, or blocked by a restricted render environment, rendering can fail or execute unexpected code in the caption-rendering context.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script launches headless Chromium with --disable-web-security and --allow-file-access-from-files while loading a locally generated index.html that may contain untrusted or user-influenced HTML/CSS/JS. That combination removes same-origin protections and permits broader file:// access, so any injected script in the composition could read local resources or make cross-origin requests that would normally be blocked.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger language is broad enough to cause the skill to activate on ambiguous or ordinary requests, which can lead to inappropriate tool invocation and unsafe automation paths. In an agent environment, overbroad routing increases the chance of the wrong skill taking control of a request and performing heavyweight media-processing steps the user did not clearly ask for.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The file loads GSAP directly from a third-party CDN at runtime, which introduces a supply-chain and integrity risk: if the CDN, DNS, or transit path is compromised, attacker-controlled JavaScript would execute in the rendering context. In this skill, the HTML is a composition engine that processes templated data and media, so remote script execution would affect every render using this template and is more dangerous than a purely informational page.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The page silently performs a third-party script fetch without any disclosure, which can surprise operators who expect an offline/local media-processing pipeline. This increases risk because network access, telemetry exposure, and remote script execution occur implicitly when the example is opened.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation text uses broad, subjective routing cues such as "true crime," "heist energy," "edgy product drops," and "unhinged-comedy hooks," which can cause the agent to select this theme in contexts the user did not explicitly request. In a skill that routes by identity, ambiguous trigger language increases the chance of misapplication, producing unexpected stylistic behavior and making downstream agent behavior less predictable.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/transcribe.cjs:205