WaveSpeedAI Ultimate Video Upscaler

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is coherent for WaveSpeed video upscaling, with expected privacy, cost, API-key, and URL-validation considerations.

Install only if you are comfortable sending video files or publicly accessible video URLs to WaveSpeed AI. Keep the API key in an environment variable or secret manager, monitor costs, and validate user-provided URLs before submitting them.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The skill documentation explicitly warns against loading untrusted or user-provided URLs, yet its examples and parameter contract accept an arbitrary public video URL and forward it to the WaveSpeed service. This inconsistency can enable server-side fetching of attacker-controlled URLs, which may expose internal network resources, retrieve sensitive content, or process malicious media depending on how the backend resolves and fetches URLs.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal