Yq Vfx Pipeline Automation

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed VFX asset workflow skill that generates images, optional videos, and a report, with no executable code or hidden behavior found.

Before installing, understand that this skill may activate on broad VFX creation requests and can create image/video output files in the workspace. Review generated prompts and images before approving any video generation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger phrase "制作特效素材" is broad enough to match ordinary requests about creating effects assets, which can cause unintended activation of this multi-step automation skill. Because the skill can generate files and potentially invoke downstream image/video generation tools, ambiguous activation increases the risk of accidental execution beyond what the user explicitly intended.

Vague Triggers

Low

Confidence: 80% confidence
Finding: The skill mixes trigger wording with general scenario descriptions, so it is unclear what text should activate the workflow versus what merely describes when it may be useful. This ambiguity can make orchestration layers invoke the skill in situations where the user only intended a normal discussion or partial assistance, increasing the chance of overbroad tool use.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal