VidIQ - Video Intelligence

Security checks across malware telemetry and agentic risk

Overview

This video tool mostly does what it advertises, but it needs review because it unnecessarily evaluates video metadata as code while processing arbitrary media.

Review before installing. Use it only on media you are allowed to download or process, avoid sensitive/private videos on shared systems unless you clear /tmp/vidiq afterward, and prefer a fixed version that replaces eval-based frame-rate parsing with safe fraction parsing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill fetches remote media and caches it in /tmp/vidiq without prominently warning the user up front. This can create privacy, retention, and disk-usage risks because users may not realize remote content is being downloaded and stored locally, potentially including sensitive or copyrighted material.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal