Back to skill

Security audit

illustrated-story-reel

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its slideshow purpose, but bundled references expand into paid video/API workflows that conflict with its stated no-video scope.

Install only if you are comfortable with Pruna/Replicate API use, local ffmpeg execution, and media files being written in an output directory. Treat the no-video scope as authoritative: do not follow the bundled p-video/avatar/animate examples for this skill, keep API keys out of subagents unless explicitly required, and review stills/audio before any paid or automated phase.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
f.write(f"file '{p.resolve()}'\n")
        list_path = f.name
    try:
        subprocess.run(
            [
                ffmpeg,
                "-y",
Confidence
94% confidence
Finding
subprocess.run( [ ffmpeg, "-y", "-f", "concat", "-safe", "0", "-i",

subprocess module call

Medium
Category
Dangerous Code Execution
Content
f.write(f"file '{p.resolve()}'\n")
        list_path = f.name
    try:
        subprocess.run(
            [
                ffmpeg,
                "-y",
Confidence
94% confidence
Finding
subprocess.run( [ ffmpeg, "-y", "-f", "concat", "-safe", "0", "-i",

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill invokes external models and local assembly tooling, which implies network access, shell execution, and file read/write behavior, yet it declares no permissions. That creates a trust and sandboxing gap: a runner or reviewer may assume the skill is low-risk while it can upload local media, download generated outputs, and execute ffmpeg/Python workflows.

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The skill description frames the capability mainly as a still-image story reel and 'not full motion-video generation', but the documented workflow also performs remote media generation, local-to-external file transfer, and ffmpeg-based assembly into an MP4. This mismatch can mislead users and policy engines about the actual data exposure and execution behavior, increasing the risk of unintended uploads, broader capability use, or insufficient review.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This section materially broadens the skill from still-image reels/slideshows into multi-scene video, avatar, motion-transfer, and narration workflows. In an agent setting, that scope expansion can cause the agent to invoke paid video-generation capabilities and produce outputs the skill metadata explicitly says it should not perform, undermining user intent and safety boundaries.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The defaults instruct agents to use production async predictions for video/avatar/batch jobs as normal behavior, which conflicts with the skill's declared scope of still-image story reels rather than full motion-video generation. That mismatch can drive autonomous agents to spend money, access broader tooling, and generate disallowed media types without a clear user request.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Passing PRUNA_API_KEY to per-lane subagents increases credential exposure and operational reach, especially when those subagents are spawned in parallel. In a skill that is supposed to stay within still-image/slideshow assembly, distributing API credentials for broader generation workflows is unnecessary and raises the risk of misuse, overspend, or leakage across agent boundaries.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill metadata says this skill is for still-image reels and explicitly not full motion-video generation, but the guidance authorizes Phase B video generation with `p-video-*` models once approvals are obtained. That creates a capability mismatch: an agent using this reference can legitimately escalate from stills into full video generation, violating the declared safety and product boundary for the skill.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The document is framed around gating expensive video and replacement jobs, which is inconsistent with a skill advertised as limited to still-image story reels or slideshows. In context, this mismatch increases the chance that downstream agents or operators treat video generation as an intended, supported path for this skill.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The plan-runner examples provide concrete commands for `--phase video`, `--phase render`, `--phase all`, and final assembly, making misuse operationally easy rather than merely theoretical. Because these are copy-pasteable execution paths inside a supposedly still-image-only skill reference, an agent can be induced to run full video pipelines contrary to the skill manifest.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The documented skip flags `--yes-skip-stills-gate` and `--yes-skip-clips-gate` weaken human approval controls and are described broadly as for 'automation only' without technical safeguards. If exposed to an agent or user, they can bypass the staged-review protections that are supposed to prevent costly or policy-inconsistent generation from proceeding unchecked.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The ffmpeg command is invoked with -y, which forces overwriting any existing output file without confirmation. If output paths are user-controlled or mistakenly point to important files, this can cause silent data loss and destructive file replacement in a workflow that handles media outputs automatically.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The script persists a metadata JSON file containing the generation prompt, model name, output path, and related details without an explicit notice or opt-out. In creative workflows, prompts can contain sensitive project details, internal codenames, or personal information, so silent persistence increases privacy and data-retention risk.

Unpinned Dependencies

Low
Category
Supply Chain
Content
Pillow>=10.0.0
Confidence
95% confidence
Finding
Pillow>=10.0.0

Known Vulnerable Dependency: Pillow==10.0.0 — 8 advisory(ies): CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2024-28219 (Pillow buffer overflow vulnerability); CVE-2023-4863 (libwebp: OOB write in BuildHuffmanTable) +5 more

Critical
Category
Supply Chain
Confidence
97% confidence
Finding
Pillow==10.0.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.