Universal Video to S3 Uploader

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does the advertised video-to-S3 workflow, but it uses unsafe shell command construction with user-supplied URLs and handles S3 credentials/media uploads with limited safeguards.

Install only if you are comfortable reviewing and running a local script that can download remote media, read S3 credentials, and upload media plus metadata to your configured bucket. Use dedicated least-privilege S3 credentials limited to one bucket or prefix, avoid untrusted or attacker-supplied video URLs until shell-string execution is fixed, and do not grant list/delete permissions unless you specifically need them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill documents shell-capable commands and operational behaviors but does not declare corresponding permissions. This creates a transparency and consent problem: users or orchestrators may invoke a skill with broader execution capability than the manifest communicates, increasing the chance of unintended command execution against local files, network resources, or configured credentials.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The manifest frames the skill as a downloader/uploader for a limited set of platforms, but the documentation indicates materially broader behavior: support for many more sites, S3 connectivity testing, object enumeration, and configuration display. That mismatch weakens informed consent and can hide sensitive capabilities involving remote service interaction and exposure of storage metadata.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: Listing S3 objects, deleting files, and generating presigned URLs are security-relevant storage-management actions beyond simple upload/download functionality. If these capabilities are not clearly disclosed at the manifest level, users may grant access expecting benign media transfer while the skill can also enumerate data, remove content, or create shareable access links.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The verification step invokes a shell via child_process.exec using a URL that is derived from configuration and object key inputs. Even though the URL is wrapped in double quotes, shell execution is unnecessary here and can become dangerous if the endpoint or key contains shell-significant characters, leading to command injection or unintended command behavior. In a file-upload skill, this is more concerning because the URL may be influenced by untrusted runtime inputs.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README instructs users to place S3 access keys and secret keys in a plaintext file under their home directory without warning about the sensitivity of those credentials or recommending restrictive file permissions. If the local system is shared, backed up insecurely, committed accidentally, or exposed by malware, an attacker could obtain long-lived storage credentials and access or modify bucket contents.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill is designed to fetch remote media and transmit it to user-configured storage, but the description does not prominently warn that content and storage credentials are involved in remote network operations. In this context, lack of disclosure matters because the skill handles potentially sensitive URLs, media, bucket locations, and access credentials tied to external services.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script uploads both downloaded video content and associated metadata to S3, but it does not present an explicit privacy or external-transmission warning before doing so. In an agent skill context, this can cause users to unknowingly exfiltrate third-party content, titles, uploader names, and derived metadata to remote storage under configured credentials.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script automatically uploads downloaded media and metadata to an S3-compatible endpoint using configuration loaded from a local file, without an explicit confirmation step or a clear pre-upload disclosure of the destination and transmitted metadata. In an agent-skill context, this can cause unintended exfiltration of user-supplied content and associated metadata to remote storage the user may not realize is being used.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal