Back to skill

Security audit

IP 人设视频打造 SOP

Security checks across malware telemetry and agentic risk

Overview

This is a non-executable marketing SOP, but it needs review because it encourages intrusive research and staged engagement without strong consent or disclosure controls.

Install only if you will treat it as a manual marketing checklist with added safeguards. Get written consent before collecting or publishing personal or customer materials, redact sensitive details, set retention/deletion rules for the material library, and avoid undisclosed team comments, likes, or bullet-screen activity that could mislead viewers or violate platform rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill directs operators to scrape and analyze user comments with AI to infer needs, but it does not set boundaries on collecting personal data, minimizing identifiers, or complying with platform terms and privacy expectations. Even though comments may be publicly visible, aggregating and profiling them with AI can create privacy and compliance risk, especially if usernames, sensitive disclosures, or vulnerable-user signals are retained.

Missing User Warnings

High
Confidence
97% confidence
Finding
This section instructs reviewing an IP's past social content, service history, user feedback, and conducting anonymous visits to their store or company without clear consent, notice, or ethical limits. That creates a substantial risk of privacy invasion, deceptive information gathering, and collection of sensitive business or personal information beyond what the subject intended to share.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The publishing playbook tells the operator and team to seed praise comments and likes to boost apparent traction, which can mislead viewers about authentic engagement and may violate platform manipulation or disclosure rules. In a growth-oriented content skill, this is more dangerous because it operationalizes coordinated inauthentic behavior as a standard step rather than presenting it as a risk to avoid.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Instructing operators to lead bullet-screen comments to trigger imitation similarly promotes coordinated artificial engagement. This can distort perceived popularity, expose the account to moderation or penalties, and create deceptive marketing practices if the activity is not disclosed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.