Nm Scry Media Composition

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed FFmpeg media-composition guide with ordinary local file-writing cautions and no hidden credential, persistence, or exfiltration behavior.

Install this only if you want an agent to help compose local media with FFmpeg. Before running examples, check manifest-provided commands, output filenames, and temporary file names because existing files at those paths may be overwritten.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger list includes broad generic terms like "media," "combine," and "tutorial," which can cause the skill to activate in contexts far outside its intended FFmpeg/media-composition scope. Over-broad invocation increases the chance an agent will apply file-writing and command-oriented instructions unexpectedly, raising the risk of unintended local actions.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill demonstrates commands that create and overwrite local files, including here-doc creation of concat_list.txt and repeated use of ffmpeg with the -y overwrite flag, without an explicit warning or confirmation requirement. In an agent setting, this can lead to silent modification of workspace files or clobbering existing outputs if the commands are followed automatically.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal