Back to skill

Security audit

Scene Video Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a markdown-only helper for generating AI video through named external providers, with expected privacy and API-key cautions but no hidden or destructive behavior found.

Install only if you trust the video provider you configure. Treat API keys as secrets, keep them out of shared files and Git, monitor spending limits, and avoid submitting confidential prompts, unreleased assets, personal photos, or regulated data unless the provider's privacy terms are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill sends user prompts and possibly reference images to third-party video-generation backends, but the documentation does not warn users that their content leaves the local/system boundary. This creates a real privacy and data-handling risk, especially if users submit sensitive business materials, personal photos, or confidential scene descriptions under the assumption they remain internal.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document shows concrete credential configuration fields, including an access key and secret key pair, but provides no warning to keep these secrets out of source control, logs, or shared config files. In practice, users often copy example config into local project files, so omitting secret-handling guidance increases the risk of credential leakage and downstream abuse of paid third-party video APIs.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide instructs users to connect multiple external AI video providers but does not disclose that prompts, images, and generated media may be transmitted to third-party services and governed by their retention and training policies. Because this skill processes scene descriptions and optional talking-head content, users may unknowingly send sensitive creative, personal, or proprietary media off-platform.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.