Back to skill

Security audit

shorts-generator

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only short-video generation skill whose third-party media and voice-provider use is expected for its purpose, but users should avoid sharing sensitive content or broad API credentials casually.

Install only if you want an agent to help plan or generate short-form video content. Before using provider-backed features, confirm which services will receive your URLs, scripts, images, audio, or video, and use limited-scope API keys or subscriptions rather than sensitive personal or production credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The manifest description contains broad activation cues such as 'video generation pipeline, script generation engine, content engines, visual asset sourcing, caption generation' without clear boundaries for when the skill should or should not be invoked. In an agentic environment, this can cause over-selection of the skill for loosely related tasks, increasing the chance that URL ingestion, external provider use, or automated media actions are triggered in contexts the user did not explicitly intend.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly supports URL-to-short workflows and automated use of external asset, voice, and media providers, but it does not include user-facing warnings, consent gates, or data-handling constraints. This is dangerous because user-supplied URLs, extracted content, and generated assets may be sent to third-party services or processed in ways the user does not expect, creating privacy, compliance, and unauthorized data-sharing risks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.