Ai Avatar Video

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed helper for cloud avatar-video generation, but users should verify the CLI installer and avoid sending sensitive face, voice, or video media without consent.

Before installing, prefer manual download and checksum verification for the inference.sh CLI instead of piping curl directly to sh. Use an inference.sh account you trust, understand that media URLs are processed by external services, and only submit portraits, voices, audio, or videos you own or are authorized to use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs users to upload images, audio, and videos to external services without warning about privacy, consent, or biometric implications. Because the skill is specifically designed for face, voice, and video synthesis, users may expose sensitive personal data or create deepfake-like content without understanding retention, third-party processing, or consent requirements.

External Script Fetching

High

Category: Supply Chain
Content: ## Quick Start ```bash curl -fsSL https://cli.inference.sh | sh && infsh login # Create avatar video from image + audio infsh app run bytedance/omnihuman-1-5 --input '{
Confidence: 98% confidence
Finding: curl -fsSL https://cli.inference.sh | sh

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal