Explainer Video Guide

Security checks across malware telemetry and agentic risk

Overview

This video-production skill appears purpose-aligned, but its CLI install command uses a risky remote shell installer that users should review before running.

Before installing, review the `https://cli.inference.sh` installer or use any available manual, checksum-verified install path. Install only if you trust the inference.sh distribution channel and are comfortable allowing the skill to use that CLI for video-generation work.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill tells users to fetch and execute a shell script directly from the network with `curl ... | sh` and does not prominently warn about the risks. If the remote host, delivery path, or script content is compromised, users could execute arbitrary code on their machine immediately.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal