MadStory

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real video-storyboard tool, but it needs review because it can expose prompts through optional external LLM/API paths and includes loosely constrained exact-remake/person-replacement workflows.

Install only if you are comfortable with a Chinese-language storyboard tool that may run an unauthenticated local API if started, may transmit prompts to an external LLM when LLM enhancement is configured, and includes remake/person-replacement modes that should be used only with rights and consent. VirusTotal was clean, and I did not find destructive or hidden malware behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The save_session and load_session methods accept arbitrary filesystem paths and read/write JSON without constraining location, enabling path traversal or overwrite of unintended local files when the path is attacker-controlled. In an agent/skill context, this is more dangerous because user input or upstream orchestration may supply file paths, turning a storyboard tool into a generic local file read/write primitive.

Intent-Code Divergence

Low

Confidence: 97% confidence
Finding: `validate_for_platform()` claims to perform platform/security validation, but it references `AdMode.DEFAULT_SEEDANCE_MODE` even though `AdMode` is never imported in this module. In practice this can raise a `NameError` and cause validation to fail at runtime, which may let unsupported modes bypass checks if callers ignore errors or skip validation after failures.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger list is very broad and includes generic terms like short-video creation, storyboard scripts, and AI video prompt generation. In an agent environment, this can cause the skill to activate for ordinary user requests outside the user's intent, leading to prompt hijacking of the routing layer and unexpected handling of unrelated content.

Vague Triggers

High

Confidence: 91% confidence
Finding: The activation rule includes a broad catch-all that effectively says to always use this skill for any AI video storyboarding request, which can hijack unrelated user tasks and route them into a more capable skill than necessary. Over-broad invocation expands the attack surface by causing unnecessary loading of auxiliary files or code paths and can bypass user expectations about which tool is being used.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger list contains generic creative phrases that overlap with ordinary requests, making accidental activation likely. While this is primarily a routing and safety-boundary problem rather than direct code execution, in this skill's context it is more concerning because activation may lead to loading additional references and executable modules.

Natural-Language Policy Violations

Medium

Confidence: 90% confidence
Finding: The file is entirely written in Chinese and presents mandatory operational rules without offering a language-selection path or documenting that the skill is intentionally restricted to Chinese-speaking users. This can create unsafe or misleading behavior when non-Chinese users invoke the skill, because they may misunderstand constraints, prompts, or output requirements and receive unusable or incorrect results.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The session save endpoint writes serialized session state to a predictable location in the system temp directory and returns that filesystem path to the caller. If session contents include sensitive creative inputs or internal state, this can lead to unintended persistence, local disclosure to other users/processes on the same host, and accumulation of stale sensitive files because there is no access control, cleanup policy, or secure file permission handling shown.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code sends raw user input to an external LLM service for multi-intent splitting without any visible consent, redaction, or disclosure mechanism in this file. Because user prompts in this skill may contain scripts, product plans, or other sensitive business content, this creates a real confidentiality and privacy risk when remote inference is enabled.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The HTTP client posts prompts, candidate content, and other user-derived material directly to a configurable external endpoint. This is dangerous because the endpoint is externally controlled via configuration, and there are no visible safeguards here for notice, allowlisting, redaction, or data handling constraints.

Ssd 4

Medium

Confidence: 91% confidence
Finding: The viral replication workflow explicitly encourages recreating a reference video's content '还原一切细节' and replacing the person, which facilitates deceptive impersonation, unauthorized likeness substitution, and copyright-style cloning. In this skill's context, that is more dangerous because the feature is framed as a normal creation mode, making abuse for spoofed ads or fake endorsements easier.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal