Back to skill

Security audit

interactive-explainer

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed educational video-generation workflow with external AI API use and local media processing, and I found no artifact-backed hidden exfiltration or destructive behavior.

Install only if you are comfortable providing Pruna and optionally Replicate credentials and sending generated prompts/media to those services. Keep outputs in a dedicated project directory, use the approval phases instead of skip flags, and consider pinning or updating Pillow before running the helper scripts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (21)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not crossfades or all(f <= 0 for f in crossfades):
        list_file = output.parent / ".concat_list.txt"
        list_file.write_text("\n".join(f"file '{p.resolve()}'" for p in clip_paths) + "\n")
        subprocess.run(
            [
                ffmpeg,
                "-y",
Confidence
88% confidence
Finding
subprocess.run( [ ffmpeg, "-y", "-f", "concat", "-safe", "0", "-i",

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill describes and orchestrates capabilities that imply environment access, filesystem reads/writes, shell execution, and network use, but it does not declare permissions or clearly bound those privileges. Undeclared powerful capabilities make review, sandboxing, and policy enforcement harder, increasing the chance that a media-generation workflow could access or modify resources beyond what operators expect.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The declared description presents the skill as an educational explainer aid, but the instructions reveal a much broader automated production pipeline with external API calls, local media processing, artifact creation, and workflow state management. This mismatch can mislead reviewers and users about the actual trust boundary, causing underestimation of data exfiltration, secret use, network transmission, and local execution risks.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The README identifies the skill as "visual-transition-reel" and describes a visual montage workflow, which conflicts with the declared interactive-explainer skill purpose. This kind of documentation mismatch can cause users or downstream agents to run the wrong workflow, misunderstand the skill’s capabilities, or trust incorrect operational guidance, increasing the chance of unsafe or unintended use.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The install/run instructions reference paths, templates, and execution steps that appear tied to a different workflow intent than the declared interactive-explainer skill. Misleading execution guidance can result in operators invoking the wrong assets or scripts, causing integrity issues, accidental misuse of neighboring workflow components, and reduced ability to validate what the skill actually does.

Description-Behavior Mismatch

High
Confidence
88% confidence
Finding
This script adds autonomous background-music generation and local video remixing, which is materially broader than the declared purpose of an interactive educational explainer skill. Capability drift matters because it enables modification of user media and outbound model usage without clear justification, increasing the risk of unexpected data handling and abuse if the skill is invoked in broader workflows.

Context-Inappropriate Capability

High
Confidence
92% confidence
Finding
The code sends prompts and generation parameters to an external AI service and rewrites local video outputs, which creates data exfiltration and integrity risks outside the stated explainer-only context. In a mismatched skill, these capabilities are more dangerous because users and operators may not expect remote media generation, token use, or file transformation side effects from a supposedly educational dialogue tool.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This module adds broad remote orchestration capabilities including file upload, remote prediction execution, polling, and file download, which are not justified by an educational explainer skill. In a skill whose stated purpose is narrative/educational output, these capabilities materially expand the attack surface for data exfiltration and remote content ingestion.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The upload_file function reads arbitrary local file contents and transmits them to an external API. In the context of an educational explainer skill, this is an unjustified sensitive capability that could be used to exfiltrate local data if wired to user- or system-controlled paths.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The download_file function retrieves remote content and writes it directly to a local path, creating a sink for untrusted data on disk. Without stronger validation, this can enable unsafe file placement, persistence of attacker-controlled content, or overwriting of expected files depending on how destination is chosen upstream.

Context-Inappropriate Capability

Medium
Confidence
76% confidence
Finding
This file provides generic helpers for outbound API calls, credential use, uploads, and downloads to Replicate, which exceeds what users would expect from a simple educational explainer skill unless clearly disclosed. In a skill context, this broad network and file-transfer capability increases the chance of unexpected data egress or remote content ingress if invoked by higher-level logic.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This code uploads file contents to a third-party service without any user-facing disclosure or consent mechanism in the implementation. Even if intended for legitimate processing, silent transmission of local data is a privacy and trust risk, especially in a skill unrelated to external file processing.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The prediction request sends input payload data to an external API without visible notice in this code path. If the payload can contain user data or prompt contents, this creates an undisclosed external sharing channel that is inconsistent with the skill's educational framing.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Downloaded content is written to local storage without any user-facing warning or indication. This creates a transparency issue and can surprise operators by persisting third-party data onto disk in a skill that does not appear to require such behavior.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
upload_file() reads an arbitrary local file and transmits its contents to a third-party API using the provided token, with no user-facing warning or confirmation in this code. In an agent skill, that can lead to unintended exfiltration of local data if higher-level code passes sensitive paths.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
download_url() retrieves remote content and writes it directly to a caller-specified path without warning, content validation, or integrity checks. In a skill environment, this can introduce untrusted files onto disk and may overwrite or populate sensitive locations if destination is not tightly controlled by the caller.

External Transmission

Medium
Category
Data Exfiltration
Content
body += f"\r\n--{boundary}--\r\n".encode("utf-8")
    status, payload = api_request(
        "POST",
        "https://api.pruna.ai/v1/files",
        headers={
            "apikey": api_key,
            "Content-Type": f"multipart/form-data; boundary={boundary}",
Confidence
84% confidence
Finding
https://api.pruna.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
def create_prediction(model: str, input_payload: dict, api_key: str) -> dict:
    status, payload = api_request(
        "POST",
        "https://api.pruna.ai/v1/predictions",
        headers={
            "Content-Type": "application/json",
            "apikey": api_key,
Confidence
80% confidence
Finding
https://api.pruna.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
).encode("utf-8") + path.read_bytes() + f"\r\n--{boundary}--\r\n".encode("utf-8")
    status, payload = api_request(
        "POST",
        "https://api.replicate.com/v1/files",
        headers={
            "Authorization": f"Bearer {token}",
            "Content-Type": f"multipart/form-data; boundary={boundary}",
Confidence
86% confidence
Finding
https://api.replicate.com/

Unpinned Dependencies

Low
Category
Supply Chain
Content
Pillow>=10.0.0
Confidence
95% confidence
Finding
Pillow>=10.0.0

Known Vulnerable Dependency: Pillow==10.0.0 — 8 advisory(ies): CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2024-28219 (Pillow buffer overflow vulnerability); CVE-2023-4863 (libwebp: OOB write in BuildHuffmanTable) +5 more

Critical
Category
Supply Chain
Confidence
98% confidence
Finding
Pillow==10.0.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.