YM-MediaToolkit(媒体处理工具集)

Security checks across malware telemetry and agentic risk

Overview

This media toolkit’s network access, file outputs, and job persistence are disclosed and aligned with its stated media-processing purpose, though users should configure it carefully.

Install only in an environment where media processing and outbound HTTP/HTTPS fetching are acceptable. Keep the HTTP server bound to localhost unless it is behind authentication, restrict media_roots to intended directories, and use overwrite=false when existing workspace files should be preserved.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (10)

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The helper explicitly performs requests.head against a user-supplied URL, adding outbound network access to a media-processing skill. If URL validation is incomplete, this can be abused for SSRF-style probing of internal services or metadata endpoints and expands the skill beyond the described local processing scope.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Passing a user-influenced URL directly to ffmpeg/ffprobe grants the skill remote fetching capability and can enable SSRF, internal network access, or unexpected protocol handling by FFmpeg. In this context, the skill is presented as a media utility, so hidden remote retrieval materially increases risk because FFmpeg supports many network protocols and has a history of parser/protocol attack surface.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The file explicitly implements remote URL video processing via HTTP requests and byte-range fetching, while the stated skill metadata only describes a general media assistant and does not clearly disclose outbound network retrieval. This creates a capability mismatch that can surprise operators and users, especially in restricted environments where remote fetching or SSRF-like access is sensitive.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The extractor performs arbitrary outbound requests to user-supplied URLs using HEAD and GET, including range requests, which can be abused to access internal services or sensitive network locations if URL validation is insufficient. In an agent or server environment, this is a classic SSRF-style risk because the code turns the host running the skill into a network proxy to attacker-chosen destinations.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill supports fetching and processing remote media URLs, which expands it from local media manipulation into network-capable content retrieval. That creates SSRF-style risk and unexpected outbound access if untrusted users can supply URLs, especially because ffmpeg itself may open remote resources during processing.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: Including network access in a media compression feature increases attack surface beyond what users may expect from a local-processing tool. In this context, user-supplied URLs can trigger outbound requests via requests.head and ffmpeg, enabling access to internal services or policy-bypassing egress if URL validation is incomplete.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The natural-language `chat` entrypoint is described broadly and appears able to map free-form user text into file-writing and media-processing actions. Without explicit confirmation gates, narrow trigger patterns, or exclusions, an agent may misinterpret ambiguous prompts and perform unintended local file processing, remote fetching, or overwriting actions.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation states that file-writing interfaces support `overwrite` and that it defaults to `true`, while jobs and outputs are persisted on disk. Default overwrite plus persistent storage increases the risk of accidental data loss, unintended retention of sensitive media-derived artifacts, and silent modification of existing files when invoked by an agent or through ambiguous chat input.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Multiple file-writing actions in the manifest default to overwrite=true, which can cause silent destruction or replacement of existing user files if callers omit the parameter. In a media-processing skill that accepts user-supplied paths and batch/pipeline operations, this increases the chance of accidental data loss at scale.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The function downloads arbitrary remote content to a persistent temporary file without checking HTTP status, content type, content length, or enforcing a download size limit. In a media-processing skill, this can enable disk exhaustion or storage of unexpected/malicious content, especially because the file is created with delete=False and cleanup depends on callers remembering to remove it.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal