Back to skill

Security audit

Creatok Generate Video

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed CreatOK video-generation skill that uses a CreatOK API key and external API calls, with confirmation required before starting paid generation.

Install only if you trust CreatOK with your prompts, selected reference images, API key, and any credits spent. In multi-skill environments, be aware that some activation phrases are broad; confirm the exact generation plan before allowing a task to start, and avoid bypass flags unless the user already approved the request.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases include common commands like 'start video generation' and 'start this generation', which are generic enough to match normal conversation outside a clearly scoped CreatOK workflow. Broad activation increases the chance the skill is invoked unintentionally, potentially causing paid actions, external API calls, or disclosure of prior conversation content to a third party.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The description 'Use when generating, resuming, or checking TikTok videos, ads, or selling videos' is broad enough to cover many ordinary requests and may steer orchestration systems toward this networked, paid-action skill too aggressively. In context, that matters because the skill can submit jobs to an external service and process user creative content, so overbroad routing raises the likelihood of unintended activation and data sharing.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The handoff guidance includes broad natural-language trigger examples such as 'go ahead and generate' or 'turn this into a video,' which can match ambiguous user requests and cause the agent to switch skills prematurely. In a multi-skill system, this can lead to unintended actions, context being forwarded to the wrong skill, or bypassing more appropriate confirmation steps.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.