Security audit

Media Compress

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward local media-compression tool, with the main risk being accidental overwrites of chosen output files.

Install ffmpeg only from a trusted source. Use preview mode first for important media, write results to a separate output folder, and use the backup option when you cannot afford to lose the original or accidentally overwrite an output file.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill instructs users to run local Python scripts that write output files and invoke ffmpeg via the shell, yet the skill declares no permissions or safety boundaries. In an agent environment, this mismatch can bypass expected review and consent controls, especially because the skill supports batch processing and automatic output generation that can modify many files.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: ffmpeg is invoked with -y, which forces overwriting the output path without an interactive confirmation at the point of execution. If a user supplies or the tool derives an unintended output path, existing files can be silently replaced, causing data loss or clobbering important content.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.