movie-search

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it should be reviewed because it steers movie and TV searches toward torrent and download sites that may be illegal or unsafe.

Install only if you specifically want an agent to generate third-party movie/TV download and torrent search links. Prefer official streaming, rental, purchase, or public-domain sources; verify copyright legality in your jurisdiction; and avoid downloading files from unknown torrent or download pages.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

High

Confidence: 96% confidence
Finding: The skill is configured to trigger on a very broad set of movie-search phrases and explicitly says it should activate even when the user does not mention the skill. That increases the chance of unsolicited activation and automatic delivery of piracy-related links, bypassing normal user intent confirmation and policy gating for risky content.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The skill openly provides torrent, BT, magnet, and download-site links but does not warn users that it may surface infringing or unsafe third-party resources. In this context, the omission is dangerous because the entire skill is centered on locating copyrighted content from piracy-associated sites, creating legal, trust, and malware-exposure risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal