Back to plugin

Security audit

SenseNova-Skills

Security checks across malware telemetry and agentic risk

Overview

No artifact-backed suspicious behavior was available to verify; the supplied telemetry and pre-scan signal alone do not justify a Review hold.

Treat this as an incomplete review result: the provided negative signals alone are not enough to block installation, but the actual SKILL.md and artifact files should be reviewed before trusting the package.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal, suspicious.prompt_injection_instructions

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
skills/sn-ppt-standard/scripts/export_pptx/html_to_pptx.mjs:24
Evidence
execSync('npm install --omit=dev', { cwd: __dirname, stdio: 'inherit' });

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
skills/sn-image-base/scripts/sn_image_base/generation/sensenova.py:497
Evidence
api_key=[REDACTED],

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
skills/sn-image-base/scripts/sn_image_base/llm/chat_completions_adapter.py:248
Evidence
api_key = [REDACTED]

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
skills/sn-image-imitate/SKILL.md:196
Evidence
If missing, use inline fallback system prompt:

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
skills/sn-image-resume/SKILL.md:261
Evidence
- System prompt: `prompts/resume.md`