Back to skill

Security audit

Comic Drama Generate

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed comic-drama video production workflow, with expected external-service, public-URL, and local file output considerations.

Before installing, review the three prerequisite skills, configure API keys through secure environment variables, confirm quota or cost expectations, avoid using sensitive media in public URLs, and keep generated files in a dedicated project folder.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description is broad enough to trigger on many general creative-video requests, which can cause the agent to invoke a heavyweight workflow unexpectedly. In this skill's context, that matters because the workflow installs tools, relies on external services, uses public asset URLs, and writes files locally, so over-selection can lead to unnecessary data exposure, cost, and side effects.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to download, save, trim, merge, and export media locally, but it does not prominently warn the user up front that local filesystem side effects will occur. In practice this can surprise users, consume disk space, retain sensitive media on disk, and create persistence risks if the project contains private or copyrighted material.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill mandates use of public URLs for handing assets between services without a clear privacy warning, which can expose character images, storyboards, or other media to unintended parties and make them accessible beyond the immediate workflow. This is more dangerous in context because the pipeline is explicitly multi-service and records asset URLs in project docs, increasing the chance of persistent exposure and accidental sharing.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The workflow discusses ensuring API credentials are present and preserving final public asset URLs, but provides no privacy guidance or constraints on how those values are handled. In a multi-tool pipeline, this can lead to accidental credential exposure in shell history, logs, prompts, shared artifacts, or publication of publicly accessible asset links containing sensitive creative material.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.