Back to skill

Security audit

Jianying Auto Editor

Security checks across malware telemetry and agentic risk

Overview

This skill matches its video-editing purpose, but it can send local media file metadata and an API key to a configured cloud service, and the example endpoint is an insecure raw HTTP IP address.

Review before installing. Use only a trusted HTTPS API endpoint, not the sample raw-IP URL; use a scoped API key; point material_path only at files intended for this edit; and prefer task-subdir output unless you intentionally want to overwrite draft files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The workflow states that the skill will recursively scan a local media folder, upload a material index to a cloud API, and send an execution report back to the cloud, but the description does not clearly warn users about this data transfer. In this context, the omission is dangerous because local file names, paths, metadata, and report contents may reveal sensitive personal or business information and users may not meaningfully consent to that exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.install_untrusted_source

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/index.js:14

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
examples/config.example.json:2