Security audit

Jogg Lip Sync

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Jogg lip-sync runner that uploads user-selected media to Jogg and polls for results, with no artifact-backed malicious behavior found.

Install only if you trust this Jogg integration and are comfortable sending the chosen video/audio files or URLs to Jogg for processing. Use a revocable API key, avoid sensitive media unless appropriate, and leave JOGG_BASE_URL at the default unless you intentionally trust another endpoint.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger phrases are broad enough that the skill may auto-activate for common lip-sync-related requests, causing unexpected execution against local files or remote URLs. In a skill that uploads user-provided media to an external API and runs shell commands, overbroad triggering increases the chance of unintended data transmission or action without clear user intent.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill description and instructions do not clearly warn that supplied video/audio inputs, including local files, will be transmitted to Jogg's remote API. This creates a data privacy and consent risk because users may provide sensitive media without understanding it leaves the local environment.

External Transmission

Medium

Category: Data Exfiltration
Content: upload_status_file=$(mktemp) run_with_heartbeat "uploading binary to storage" \ sh -c ' curl -sS -o /dev/null -w "%{http_code}" -X PUT "$1" -H "Content-Type: $2" --data-binary "@$3" > "$4" ' sh "$sign_url" "$content_type" "$media_input" "$upload_status_file" || { rm -f "$upload_status_file" json_error "upload failed"
Confidence: 80% confidence
Finding: curl -sS -o /dev/null -w "%{http_code}" -X PUT "$1" -H "Content-Type: $2" --data-binary

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.