Podcast Generation from PDF, Text, and Links

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it sends user-approved text or PDF links to MagicPodcast to generate a podcast, with no evidence of hidden persistence or unrelated data access.

Install only if you are comfortable sending the chosen PDF URL or pasted text to MagicPodcast for processing. Avoid submitting confidential documents unless you have checked MagicPodcast's privacy and retention terms and have permission to share that content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

External Transmission

Medium

Category: Data Exfiltration
Content: payload="$(jq -n --arg pdfUrl "$PDF_URL" --arg language "$LANGUAGE" '{pdfUrl:$pdfUrl,language:$language}')" curl -sS -X POST "$MAGICPODCAST_API_URL/agent/v1/podcasts/pdf" \ -H "Content-Type: application/json" \ -H "x-api-key: $MAGICPODCAST_API_KEY" \ --data-binary "$payload"
Confidence: 96% confidence
Finding: curl -sS -X POST "$MAGICPODCAST_API_URL/agent/v1/podcasts/pdf" \ -H "Content-Type: application/json" \ -H "x-api-key: $MAGICPODCAST_API_KEY" \ --data-binary "$payload" ``` Create from text: ``

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal