Back to skill

Security audit

Batchedits

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward BatchEdits video-editing integration, but users should understand that videos and credentials are sent to or configured for a remote service.

Install only if you trust the BatchEdits service with the videos you choose to process. Prefer the header-based or OAuth setup over putting an API key in the URL, and avoid using sensitive, regulated, or confidential media unless you have authorization to upload it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises autonomous video editing but does not clearly warn that local video files will be uploaded to a third-party BatchEdits server for processing. This can mislead users into sending sensitive or regulated media off-device without informed consent, creating privacy, confidentiality, and compliance risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Embedding the API key directly in the MCP server URL is unsafe because URLs are commonly exposed through shell history, logs, config files, process listings, screenshots, and support dumps. If the key is leaked, an attacker could reuse it to access the BatchEdits account or API under the user's identity.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.