Back to skill

Security audit

Digital Avatar

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill coherently helps create digital avatars and talking-head videos, but users should treat uploaded photos, voice samples, and provider API keys as sensitive.

Install only if you are comfortable sending selected photos, voice samples, scripts, and related metadata to the chosen third-party avatar provider. Use only media you are authorized to use, review the provider's privacy and commercial terms, and store API keys in local secret handling rather than committed project files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly supports uploading real photos and audio samples to third-party avatar and voice-cloning providers, but it does not clearly disclose data-transfer, retention, biometric/privacy, or cross-border processing risks at the point of use. Because the content involves face images and voice samples, the sensitivity is higher than ordinary media upload and can lead to privacy harm, consent violations, or regulatory noncompliance if users are not properly warned.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The example instructs users to create an avatar from a photo and says to upload the image via API, but it omits an explicit warning that the image will leave the local environment and be transmitted to an external service. In this skill's context, that omission is especially risky because the image is a real person's likeness and may be used for avatar generation, which raises consent, impersonation, and biometric privacy concerns.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.