Huo15 Comic Dub

Security checks across malware telemetry and agentic risk

Overview

This skill appears to perform its stated comic-dialogue text-to-speech task, with expected API use, local output files, and no evidence of hidden or destructive behavior.

Install only if you are comfortable providing a Volcengine Ark API key and sending script dialogue text to that provider. Review the script length before running because generation may create provider charges, and keep input/output paths scoped to the intended project directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill documentation describes capabilities that read local files (script.json), write output audio files and a manifest, likely use environment variables for API credentials, and make network calls to an external TTS service, yet no permissions are declared. This creates a trust and enforcement gap: a user or platform may authorize or review the skill under the false assumption that it has no sensitive capabilities, increasing the risk of unintended data access, exfiltration, or unexpected external API usage.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal