Back to skill

Security audit

videogenCN

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed video-generation helper that sends user-selected prompts and media to third-party video APIs and downloads the result.

Before installing, make sure you are comfortable sending prompts and any selected images to the chosen video provider. Use --dry-run to preview requests when possible, avoid private or sensitive media unless the provider terms are acceptable, and provide only the specific files you intend to use for generation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The provider automatically uploads local media files to DashScope temporary OSS storage for model families that do not accept local files directly, and this happens without an explicit consent gate or prominent warning at the upload point. Even though the upload is necessary for functionality and appears intentional rather than malicious, it can expose sensitive local images or video frames to a third-party cloud service unexpectedly, which is a real privacy and data-handling risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.