Security audit

avatar-multi-scene

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Pruna video-generation workflow, but users should be careful with API-key handling, paid generation gates, and media-processing dependencies.

Install only if you intend to use Pruna APIs for paid media generation. Keep PRUNA_API_KEY in environment-managed secrets, review stills and clips before approving paid phases, avoid prompt-pasting credentials into subagents, and prefer installing dependencies with a current patched Pillow version and pinned Git revisions when possible.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 85% confidence
Finding: The skill explicitly instructs the agent to write scripts, execute shell commands, use environment variables like PRUNA_API_KEY, upload/download files, and run local tooling, yet it declares no permissions. That mismatch can cause an agent runtime to expose file, shell, and secret-handling capabilities without transparent consent or policy review, increasing the chance of unintended command execution or data exposure.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The document explicitly tells the parent agent to pass a `PRUNA_API_KEY` note to each subagent, which encourages credential propagation across execution boundaries without any scoping, redaction, or user-visible warning. In agent hosts, subagents may have different logging, memory, or prompt-visibility surfaces, so broad credential sharing increases the chance of accidental leakage or misuse.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The document explicitly exposes `--yes-skip-stills-gate` and `--yes-skip-clips-gate` as ways to bypass human approval checkpoints, but the nearby guidance does not require strong operator warnings, role restrictions, or compensating controls at the point of use. In this skill, those gates exist to prevent expensive or low-quality video/audio generation, so bypassing them can defeat the intended safety and cost controls and enable unattended high-cost runs or unsafe outputs to proceed without review.

Natural-Language Policy Violations

Medium

Confidence: 92% confidence
Finding: The guidance explicitly requires alternating `persona_gender` with gendered voice labels and says face-swap references must remain the same gender as the source on talking-head beats. That bakes an unnecessary sensitive-attribute constraint into workflow behavior without user consent, reducing user autonomy and potentially causing discriminatory or exclusionary outputs for transgender, nonbinary, or gender-nonconforming subjects.

Unpinned Dependencies

Low

Category: Supply Chain
Content: Pillow>=10.0.0
Confidence: 93% confidence
Finding: Pillow>=10.0.0

Known Vulnerable Dependency: Pillow==10.0.0 — 8 advisory(ies): CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2024-28219 (Pillow buffer overflow vulnerability); CVE-2023-4863 (libwebp: OOB write in BuildHuffmanTable) +5 more

Critical

Category: Supply Chain
Confidence: 90% confidence
Finding: Pillow==10.0.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.