Security audit

news-video-maker

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward news-video workflow that uses search, text-to-speech, and FFmpeg in ways that match its stated purpose.

Install only if you are comfortable with the agent sending news search queries and narration text to the configured search and TTS providers. Use trusted input paths and output directories because the workflow runs FFmpeg to create a local MP4 file.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill directs the agent to use external web search tools against live news sources without clearly warning the user that network access will occur or that third-party services may receive query data. In an agent environment, this can expose user prompts, interests, or embedded sensitive context to external providers and may violate user expectations around data handling.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal