Talking Head Production

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent guide for making AI talking-head videos, with expected external CLI use and media uploads, but users should verify the installer and avoid sensitive likeness or voice data.

Before installing, inspect or manually download the inference.sh CLI installer and verify checksums/signatures where possible. Only upload portraits, voices, scripts, and videos that you have the right and consent to process, and review the provider's privacy, retention, deletion, and billing terms before using it with sensitive or regulated content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs users to upload portraits and audio to third-party remote inference services, but it does not provide a clear privacy warning, data handling notice, or guidance on avoiding sensitive content. Because portraits and voice recordings are biometric and potentially identifying data, users may unknowingly transmit personal data off-device to external providers.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal