Creative Ops Copilot

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed creative production helper that writes planning files and can optionally send an invoice draft to a configured invoicing API.

Before installing, review the invoicing configuration. Only use --push-invoice when you intend to send client/project invoice data, keep the API URL local or trusted, and use a narrowly scoped API key if one is configured.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: When --push-invoice is used, the script sends invoice draft data containing client and project information to whatever baseUrl is present in configuration, with no validation, allowlist, or explicit runtime confirmation. In an agent-skill context, this creates a real data-exfiltration risk because a user or upstream automation may not realize that locally generated business data will be transmitted off-host to an attacker-controlled or misconfigured endpoint.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal