Huo15 Comic Orchestrator

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent AI comic-generation orchestrator, but it can launch paid external generation through unreviewed sibling skills and its cost-control documentation is stronger than the included runtime code.

Install only if you trust the full huo15 comic skill family, not just this orchestrator. Keep confirmation enabled, avoid --auto-confirm unless you already approved the budget, set spend limits on the provider account for ARK_API_KEY, and avoid submitting private prompts or media unless you are comfortable sending them to the configured AI services.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger list includes broad phrases such as '生成漫剧', '做漫剧', and similar everyday wording that could accidentally match normal conversation. Because this skill can lead to shell execution, file writes, and multi-step orchestration, unintended invocation is more dangerous than in a read-only or informational skill.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal