NVIDIA AV1 Video Compressor

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local video-compression skill, but it needs review because it can automatically install an unpinned Python package at runtime and can run batch compression through an agent wrapper without an in-script confirmation step.

Review before installing. This skill appears purpose-aligned for local NVIDIA/FFmpeg video compression, but install tqdm yourself from a trusted source first or run it in an isolated environment to avoid the automatic runtime pip install. Use test mode on a small sample, confirm the exact input and output directories, and only allow full batch compression after checking the output quality.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (16)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: from tqdm import tqdm except ImportError: print("正在安装依赖库 tqdm...") subprocess.run([sys.executable, "-m", "pip", "install", "tqdm", "-i", "https://pypi.tuna.tsinghua.edu.cn/simple"], capture_output=True) from tqdm import tqdm
Confidence: 97% confidence
Finding: subprocess.run([sys.executable, "-m", "pip", "install", "tqdm", "-i", "https://pypi.tuna.tsinghua.edu.cn/simple"], capture_output=True)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill documentation indicates shell execution and file-reading behavior, but no permissions are declared. That creates a transparency and policy-enforcement gap: an agent or user may invoke commands over local files without an explicit trust boundary, increasing the chance of unintended access or unsafe execution. In this context, the tool legitimately needs file and shell capabilities, but the undeclared permissions still make the skill riskier rather than harmless.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The skill claims to be a local video compression utility, but it also appears to perform runtime pip installation from external package repositories. This expands the trust boundary from local media processing to network-based code retrieval, creating supply-chain and arbitrary code execution risk if packages or mirrors are compromised. The mismatch is especially dangerous because users may not expect internet access or software installation from a compression skill.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: Automatically downloading and installing a Python package from an external mirror at runtime exceeds the stated purpose of a local compression tool and materially changes the trust boundary. If the mirror, package, or network path is compromised, running the script can lead to arbitrary code execution under the user's privileges.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The code has built-in capability to fetch and install Python packages over the network during execution, which creates a supply-chain attack surface inconsistent with a simple video-processing utility. This is especially concerning because installation is triggered automatically on import failure, with no explicit user approval at that moment.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger keyword "视频优化" is broad enough to match many ordinary user requests that are not specifically asking for batch AV1 transcoding. In an agent setting, this can cause the skill to be invoked unexpectedly, leading to unnecessary file processing or execution of local compression commands on user directories without sufficiently precise intent matching.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger example 用户说“帮我压缩视频” is very broad and can cause the skill to be selected for many generic requests without sufficient disambiguation. In an agent setting, this increases the chance of unintended invocation of compression workflows, potentially leading to unnecessary file processing or user confusion, especially because the report also describes automated environment checks and analysis steps.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The described user flow is underspecified and lacks negative examples or boundaries for when the skill should not activate. Because the report frames the skill as automatically detected and then proceeds into environment checks, analysis, and testing, an agent may over-apply it to ambiguous user requests and begin filesystem-affecting operations without strong intent verification.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The README says Qwen Code can automatically recommend this skill whenever a user mentions '压缩视频', which is an overly broad trigger tied to common user phrasing rather than an explicit user request to run this specific tool. In agent ecosystems, broad auto-invocation language can cause the skill to be suggested or selected in contexts the user did not intend, increasing the chance of unintended file processing or execution of compression workflows.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The skill documentation says that when a user mentions '压缩视频' the skill should be automatically recommended, which is a very broad phrase likely to occur in normal conversation. In an agent ecosystem, overly broad trigger phrases can cause unintended invocation of this skill, leading the agent to route user data or actions into video-processing workflows without sufficiently explicit user intent.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The wrapper forcibly appends --no-confirm for a file-writing compression operation, removing an opportunity for the operator to review or abort potentially destructive actions. In an agent context, this increases the chance of unintended overwrites, bulk processing, or writes to an unexpected destination without explicit consent.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The README documents a non-interactive bulk compression command using --no-confirm without clearly warning that it will proceed without user confirmation and may modify or create outputs for many files at once. In an agent context, this increases the chance of unintended large-scale processing, resource consumption, or overwriting/side effects if the operator misunderstands the command.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The README explicitly demonstrates a non-interactive batch compression command using --no-confirm without warning that it may process many files automatically and create or overwrite output artifacts without a human confirmation step. In an agent or automation context, documenting this pattern encourages autonomous file operations that can lead to unintended bulk changes, data loss, or costly compute usage if the input path is wrong.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: python scripts/compress_videos.py # Befehlszeilenmodus python scripts/compress_videos.py -i "/path/to/videos" -p B --no-confirm # Testmodus python scripts/compress_videos.py -i "/path/to/videos" -p B --test
Confidence: 83% confidence
Finding: --no-confirm

Unpinned Dependencies

Low

Category: Supply Chain
Content: tqdm>=4.60.0
Confidence: 96% confidence
Finding: tqdm>=4.60.0

Tool Parameter Abuse

High

Category: Tool Misuse
Content: python scripts/compress_videos.py # Befehlszeilenmodus python scripts/compress_videos.py -i "/path/to/videos" -p B --no-confirm # Testmodus python scripts/compress_videos.py -i "/path/to/videos" -p B --test
Confidence: 87% confidence
Finding: --no-confirm

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal