Giggle Video

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward video-generation connector, but users should understand it sends prompts to giggle.pro and stores task metadata locally.

Install only if you are comfortable sending video prompts and generation parameters to giggle.pro. Avoid including secrets or sensitive personal data in prompts, protect GIGGLE_API_KEY as a secret, confirm GIGGLE_API_BASE is not set to an unexpected endpoint, and check whether shared/outputs/director is private enough for your generated video metadata.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger conditions are broad enough to activate on common user requests such as generic video creation or creative assistance, which increases the chance the skill is invoked without the user clearly intending to use this specific external service. In this skill, unintended activation can lead to external API usage, cost incurrence, prompt transmission to a third party, and creation of stored artifacts, so the broad matching meaningfully increases security and privacy risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill documents that outputs and metadata are archived to a shared path, but it does not clearly warn users beforehand that their prompts, task details, and resulting video metadata may be stored in a shared location. Because prompts may contain proprietary, personal, or sensitive creative material, this omission creates a real confidentiality and privacy risk, especially in multi-user or shared-workspace environments.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly sends user-supplied prompts to an external third-party API, but the implementation text does not include a user-facing notice that prompt content leaves the local system and is processed by giggle.pro. This creates a real privacy and data-handling risk because users may submit sensitive or regulated content without informed consent.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The documentation requires use of a bearer-token credential via GIGGLE_API_KEY but provides no guidance about secure handling of that secret. This increases the chance of accidental credential exposure through logs, examples, debugging output, or unsafe sharing of environment configuration.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal