Security audit

AI Notes Video

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it sends a user-provided video URL to Baidu to generate AI notes, with no evidence of hidden persistence or unrelated data access.

Install only if you are comfortable sending video URLs to Baidu's service. Avoid private, internal, signed, token-bearing, or confidential media URLs unless you have authorization and understand Baidu's retention, logging, and processing terms.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill instructs users to supply a video URL that is then processed by an external Baidu service, but it does not clearly warn that user-provided content and associated metadata are disclosed to a third party. This can lead to unintended sharing of sensitive or internal media URLs, especially in agent contexts where users may assume processing is local or first-party.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.