AI UGC Video Pipeline

Security checks across malware telemetry and agentic risk

Overview

This skill describes a user-run AI video workflow that uses third-party services and API keys, with no evidence of hidden persistence or malicious behavior in the reviewed artifact.

Before installing, inspect the actual repository or package that supplies the referenced scripts and package.json, since those files were not part of this review. Use dedicated API keys with spending limits, and avoid uploading sensitive product assets, personal likenesses, or regulated data unless you accept the data handling terms of OpenAI, ElevenLabs, and fal.ai.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill clearly routes user-supplied product information, avatar photos, product images, and audio to multiple external services including OpenAI, ElevenLabs, and fal.ai, but the documentation does not prominently disclose this data sharing. This creates a real privacy and compliance risk because users may provide sensitive marketing assets, likeness data, or proprietary product details without informed consent about third-party processing and retention.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal