Security audit

Avatar Video

Security checks across malware telemetry and agentic risk

Overview

This is a coherent HeyGen video skill, but it should be reviewed because it can use your HeyGen account to upload private media, spend credits, register callbacks, and delete account assets without clear safety prompts.

Review before installing if the HeyGen account contains valuable assets or paid credits. Use a limited API key if possible, avoid sending sensitive media or personal data unless you have consent, confirm any upload from a URL, webhook registration, batch generation, or delete action, and prefer test mode while developing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (8)

Context-Inappropriate Capability

Medium

Confidence: 82% confidence
Finding: The documented `uploadFromUrl` helper expands the skill from local asset upload into arbitrary remote URL fetching, which broadens capability beyond the stated purpose. Even with an HTTPS-only check, it can still be used to retrieve attacker-controlled content or internal resources exposed over HTTPS and then relay them to HeyGen, creating SSRF-like and unintended data-transfer risk.

Context-Inappropriate Capability

High

Confidence: 83% confidence
Finding: The document includes destructive DELETE endpoints unrelated to the core photo-to-video task without guardrails such as explicit confirmation, ownership checks, or warnings about irreversible deletion. In agentic contexts, exposing destructive operations in the same skill materially raises the chance of accidental or prompt-induced deletion of avatars or groups.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The documentation encourages uploading images, videos, and audio to a third-party service but does not prominently warn users that local or provided files will be transmitted externally. This omission can lead to accidental disclosure of sensitive personal, proprietary, or regulated media.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: Describing DELETE endpoints without warning or confirmation guidance is dangerous in automation because agents may execute destructive actions too eagerly once they are available. The absence of friction or safety UX increases the likelihood of accidental deletion and operational loss.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The examples encourage sending personalized recipient data such as names, emails, company names, and custom messages to a third-party video-generation service without any privacy notice, minimization guidance, or consent requirements. In a skill focused on external media generation, this context makes the omission more significant because users are likely to copy the batch-personalization workflow directly into production with real personal data.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation repeatedly demonstrates sending user-provided scripts, image URLs, audio URLs, and locally sourced image data to HeyGen's external API, but it never clearly warns that this transmits potentially sensitive user content to a third-party service. In an agent-skill context, this omission is security-relevant because downstream integrators may unknowingly route private prompts, media, or internal assets off-platform.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The example persists pending-video.json containing script text, avatar ID, and voice ID to local disk without any warning, minimization, or retention controls. In agent environments, scripts may contain sensitive user-provided content, and silent local persistence can create unintended data retention, leakage through logs/backups, or exposure to other local users/processes.

Missing User Warnings

Medium

Confidence: 75% confidence
Finding: The examples send user-provided script and audio data to HeyGen's external API using API-key-authenticated requests, but they do not warn that prompts, scripts, audio URLs, and associated metadata leave the local environment. In an agent-skill context, missing disclosure increases the chance that operators unknowingly transmit sensitive or regulated content to a third party.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.