短剧生成器

Security checks across malware telemetry and agentic risk

Overview

This skill coherently creates short audio dramas using SenseAudio, with no evidence of hidden exfiltration, destructive behavior, or unrelated privileges.

Install only if you are comfortable sending the generated script dialogue to SenseAudio for speech synthesis. Do not include secrets, private business information, or sensitive personal data in prompts or scripts, and avoid echoing or pasting the API key into shared logs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README advertises use of an external TTS API but does not clearly warn users that their prompts, generated scripts, and dialogue content will be transmitted to a third-party service. This creates a real privacy and data-handling risk, especially if users provide sensitive, proprietary, or personal content expecting local-only processing.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger phrases are broad, everyday requests such as generating a drama or audio play, without scope limits or exclusion conditions. This increases the chance of accidental or contextually inappropriate activation, which can cause unintended script generation, file creation, and external API submission of user content.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The description says the skill generates multi-character audio dramas, but it does not warn that user-provided topic/script content is sent to the external SenseAudio TTS API. This omission can lead users to disclose sensitive or proprietary content without informed consent, especially because the skill transforms user input into third-party network traffic.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The usage examples are broad natural-language prompts that can overlap with ordinary conversation, which increases the chance of unintended skill invocation. In an agent environment, ambiguous triggering can cause the system to generate scripts and call external services without the user clearly intending to activate this specific skill.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The document states that script content is sent to a third-party TTS provider, but it does not clearly warn users that their prompts, generated dialogue, and possibly sensitive story content will leave the local environment. This can lead to unintended disclosure of private or regulated data if users assume the skill operates locally.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal