Free Animation Videomaker

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate cloud video/animation skill, but its instructions are too broad about when to send user content to the remote backend.

Install only if you are comfortable with prompts and uploaded media being processed by an external video backend. Avoid using it with private or sensitive files, and prefer an updated version that asks before uploads/renders and only routes clearly video-related requests.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger guidance suggests generic phrases like "create my images or text" and "export 1080p MP4," which are common in normal conversation and can cause the skill to activate when the user did not explicitly intend to invoke it. Because the skill performs networked actions such as token acquisition, session creation, uploads, and export workflows, unintended invocation can lead to unexpected data transmission and backend-side actions.

Vague Triggers

Medium

Confidence: 97% confidence
Finding: The routing rule that sends "Everything else" to the SSE action is overly broad and effectively treats almost any unmatched prompt as an instruction to the remote backend. This creates a large surface for accidental activation and unintended forwarding of user content to an external service, especially since SSE is the primary path for generation and editing requests.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal