Back to skill

Security audit

TCM Video Factory

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward video-planning helper that uses Perplexity for generation and saves a local markdown plan.

Install only if you are comfortable sending the video topic or brief, potentially including health-related interests, to Perplexity. Use a scoped Perplexity API key, keep it in environment configuration, and review any generated medical or wellness content before publishing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill sends user-provided topic content to Perplexity's external API without any user notice, consent flow, or data minimization. Because prompts can contain sensitive health-related information, this creates a privacy and data-governance risk even if the transmission is functionally necessary for the skill.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
The prompt hard-codes English-only prompt output and Vietnamese dialogue/script behavior without checking user preference. This is not a code-execution flaw, but it can cause unexpected data handling, incorrect localization, and user-content generation in an unintended language or locale.

External Transmission

Medium
Category
Data Exfiltration
Content
throw new Error('Missing PERPLEXITY_API_KEY environment variable.');
  }

  const response = await fetch('https://api.perplexity.ai/chat/completions', {
    method: 'POST',
    headers: {
      'Authorization': `Bearer ${apiKey}`,
Confidence
92% confidence
Finding
fetch('https://api.perplexity.ai/chat/completions', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
throw new Error('Missing PERPLEXITY_API_KEY environment variable.');
  }

  const response = await fetch('https://api.perplexity.ai/chat/completions', {
    method: 'POST',
    headers: {
      'Authorization': `Bearer ${apiKey}`,
Confidence
92% confidence
Finding
https://api.perplexity.ai/

Unpinned Dependencies

Low
Category
Supply Chain
Content
"start": "node index.mjs"
  },
  "dependencies": {
    "node-fetch": "^3.3.2",
    "dotenv": "^16.4.5"
  }
}
Confidence
92% confidence
Finding
"node-fetch": "^3.3.2"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "node-fetch": "^3.3.2",
    "dotenv": "^16.4.5"
  }
}
Confidence
92% confidence
Finding
"dotenv": "^16.4.5"

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.