AI Notes of Video

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: it sends a user-provided video URL to Baidu to generate and query AI notes.

Install this only if you intend to use Baidu's service. Use a scoped Baidu API key where possible, watch quota or billing, and avoid submitting private, internal, signed, authenticated, or sensitive video URLs unless you are authorized to share them with Baidu.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs users to provide a video URL that will be sent to Baidu for remote processing, but it does not clearly warn users that third-party disclosure occurs. This can cause inadvertent sharing of sensitive or internal URLs, signed links, or private media with an external service, creating privacy, compliance, and data-handling risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal