Whiteboard Animation

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims: generate local whiteboard-animation videos from user-provided images, with disclosed local Python setup as the main consideration.

Install only if you are comfortable with the skill creating a local .venv and downloading Python packages from PyPI. In stricter environments, pin or pre-review dependencies first. Also note that the advertised hand overlay appears to require a missing drawing-hand.png asset, so default runs may fail unless that asset is supplied or hand overlay is disabled.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill directs the agent to create a virtual environment and install packages, which modifies the host system beyond simply transforming images into videos. Even if common Python packages are named, package installation and environment creation introduce supply-chain and persistence risks, especially when performed automatically from a conversational trigger.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrase “白板动画” is broad enough to match ordinary conversation rather than an explicit tool invocation. In this skill, accidental activation is more concerning because the documented workflow can lead to shell execution, file access, and even package installation, so a benign mention could initiate higher-risk actions than the user intended.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal