Back to skill

Security audit

Giggle Generation Video

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Giggle video-generation skill that sends prompts or image inputs to giggle.pro and returns generated video links, with no hidden installer, unrelated data access, or destructive behavior found.

Install only if you trust giggle.pro with your video prompts, reference image URLs, asset IDs, base64 image data, generated videos, and API usage. Avoid submitting private or sensitive media, use a revocable API key where possible, monitor Giggle account usage, and clear saved task IDs if you do not want old generation jobs remembered.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger list includes broad phrases like 'generate video' and 'AI video,' which can cause the skill to activate on common user requests without enough specificity. Over-broad activation increases the chance of unintended invocation, unnecessary transmission of user prompts or images to a third-party service, and surprise external API usage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill sends user prompts and potentially start/end frame images, URLs, or base64 data to giggle.pro, but it does not prominently warn users that their content will be shared with an external provider. This creates a privacy and data-handling risk, especially if users provide sensitive images, confidential scenes, or personal information in prompts.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instructions tell the agent to forward full signed video URLs including Policy, Key-Pair-Id, and Signature parameters directly to the user without any warning. Signed URLs are bearer-style access tokens; exposing them in chat, logs, memory, or downstream tooling can allow unintended access to generated media until the URLs expire.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.