After Effects MCP

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward After Effects automation skill that can change projects and create render files when run, but that matches its stated purpose.

Use this on copies of valuable .aep projects, review JSX scripts before running them, and choose a dedicated output folder so renders do not overwrite important media. Be aware that running the scripts can change the open After Effects project and render queue, even though no credential access, network behavior, or persistence was found.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly supports rendering and saving/exporting project templates, but it does not warn that these operations can overwrite existing files or modify user project assets. In an automation context, omission of file-safety guidance increases the chance that an agent will perform destructive actions on local creative work without confirmation or backups.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The workflow instructs users to open a project and execute scripts, but it does not warn that ExtendScript can mutate the currently open After Effects project, alter compositions, add effects, or change render queues. Because the skill is designed for automation of a stateful desktop application, this omission makes accidental destructive edits more likely and can impact valuable project files.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal