Back to skill

Security audit

gemini-3.1-flash-tts

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Replicate text-to-speech workflow guide with optional Pruna video handoff, and I found no hidden execution, persistence, exfiltration, or destructive behavior.

Before installing, be comfortable with sending narration text and style prompts to Replicate, and with optional Pruna uploads if you use the video workflow. Keep API keys in environment variables, avoid committing them, and review the included diversity-prompting reference if you do not want the agent to add demographic composition cues in downstream image or video prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The document explicitly instructs the agent to enforce mixed-gender composition in group-class scenes (`mixed-gender class`, `all-male or all-female group class` marked as wrong) even when the user has not requested demographic balancing. That creates an autonomy and policy issue: the system may alter user intent and inject sensitive demographic attributes into outputs by default, which is risky in a generation skill that operationalizes prompt construction.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.