Back to skill

Security audit

Script + Custom Media

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Revid video-rendering helper; the main caution is that scripts and public media URLs are sent to Revid for processing.

Install this only if you are comfortable sending the video script, public media URLs, and render details to Revid. Do not use private internal URLs, confidential scripts, or long-lived signed asset links unless you have reviewed Revid's data handling and are comfortable with that exposure; keep the ReVID API key scoped and secret.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to validate caller-supplied media URLs and then submit them to Revid, but it does not clearly warn users that their URLs will be fetched and transmitted to an external third-party service. This creates privacy and security risk because user-provided URLs may expose internal, signed, or sensitive media locations and can trigger unintended outbound requests if not tightly constrained.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.