Back to skill

Security audit

Opencreator Skills

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent for OpenCreator workflows, but it needs review because it can send user media to third-party file hosts and operate production workflows without enough privacy and consent guidance.

Install only if you are comfortable giving the skill an OpenCreator production API key and having it run or modify workflows on your account. Do not provide sensitive, regulated, private, or third-party face/voice media unless you have rights and consent, and treat tmpfiles.org/catbox.moe uploads as outside OpenCreator with unclear retention and access controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The document explicitly instructs the agent to upload user-provided images and videos to unrelated third-party hosting services before sending them to OpenCreator. This creates an unnecessary external data transfer path for potentially sensitive user media, expands the trust boundary, and can expose private files to services with unknown retention, access controls, or reuse policies.

Intent-Code Divergence

High
Confidence
93% confidence
Finding
The skill explicitly states it must only produce abstract structural reasoning and must not expose implementation details, but later embeds concrete generator names, node identifiers, routing behavior, and model preferences. This creates an instruction-boundary violation: downstream agents or users can be nudged from high-level planning into operational execution, increasing the chance of unauthorized tool selection, hidden capability activation, or bypass of higher-level planning constraints.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README prominently states that the skill searches templates, runs workflows, and delivers results against a production API endpoint, but it does not clearly warn that user inputs and media may be transmitted to a third-party production service. In an agent setting, this omission can lead users to provide sensitive content without informed consent, increasing privacy and data-handling risk.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The manifest advertises broad trigger terms such as 'workflow', 'template', and 'content creation pipeline', which are common across many unrelated user requests. This can cause the skill to activate outside its intended OpenCreator scope, increasing the chance that the agent follows domain-specific operational instructions or API workflows in the wrong context.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation section includes a vague catch-all ('or similar content creation') that expands the skill's scope beyond clearly bounded OpenCreator tasks. Ambiguous activation criteria can lead to over-selection of this skill for general media-generation requests, causing unintended API actions, irrelevant instructions, or incorrect handling of user data and workflows.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill tells the agent to upload user media to tmpfiles.org and catbox.moe without any privacy notice, consent step, or warning that files will leave the OpenCreator/OpenAI context. Users may unknowingly have personal, proprietary, or regulated content sent to public or weakly governed hosts, creating confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly supports user-uploaded and upstream-provided reference images, including identity/person images for avatar and commercial generation, but provides no guidance on privacy, consent, retention, or sensitive-image handling. In this context, operators may process personal photos without verifying authorization or informing users how biometric or identifying imagery is handled, creating privacy, compliance, and misuse risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This is a real safety and privacy weakness: the skill explicitly processes human face images and voice audio to generate lip-synced videos, but it provides no warning about consent, biometric/privacy implications, impersonation risk, or whether users are authorized to upload the depicted person's data. In this context, omission is more dangerous because the workflow enables realistic synthetic speaking videos, which can facilitate non-consensual deepfakes, identity misuse, and unauthorized processing of sensitive personal data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly allows the agent to replace user input, inject external data, and reuse prior workflow results without requiring provenance disclosure, authorization checks, or consent boundaries. In a workflow-building/API skill, this can cause silent data substitution, cross-context data leakage, or unintended use of third-party/internal assets, making downstream outputs untrustworthy and potentially privacy-impacting.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.