Security audit

MadStory

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed storyboard and media-prompt helper with no executable runtime behavior, but users should apply copyright and routing caution.

Install only if you want a broad Chinese-language storyboard and AI media prompt assistant. Be cautious with the viral-replication mode: use it for lawful inspiration and transformation, not to copy protected ads, films, brands, or identifiable creative expression too closely. If accidental activation is annoying, prefer invoking it by its specific name or explicit storyboard/video-prompt requests.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Mode 6 explicitly encourages users to replicate competitor or viral reference videos, including copying structure, style, pacing, and even 'fully reproducing classic film details' with only subject replacement. In a content-generation skill, this meaningfully increases the risk of facilitating copyright infringement, brand misuse, and deceptive imitation rather than merely assisting with original storyboard creation.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The trigger list includes many broad, commonly used phrases such as generic video, image, script, and short-drama terms. In an agent/skill routing context, this can cause accidental invocation in unrelated conversations, which may steer users into the wrong workflow, expose unintended skill behavior, or override more appropriate skills. The risk is elevated because the skill advertises a very large alias surface and is intended for automatic triggering.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The loading condition is broadly defined to trigger on many generic image-generation and visualization scenarios, which can cause the skill to be invoked outside its intended narrow context. In an agent system, overbroad activation increases the chance of prompt hijacking, policy bypass through unintended routing, or incorrect tool selection that exposes users to unsafe or irrelevant behavior.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The loading rule is broad enough that this reference file may be pulled in automatically whenever input validation 'degrades' or when the user only loosely matches Mode 8 intent. In a prompt-routed skill, ambiguous activation can cause unnecessary context injection, unintended behavior changes, and make downstream safety/control logic less predictable, even though this file itself is only creative-template content.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.