Ai Video Skills

Security checks across malware telemetry and agentic risk

Overview

The skill matches its video-generation purpose, but it can send a paid-service API key to arbitrary URLs if a full endpoint or base URL is supplied.

Review before installing. Use only with a skills.video API key you are comfortable using for paid generation, avoid custom full URLs or untrusted base URLs, and confirm model/prompt/cost before starting jobs. The publisher should declare the required credential and restrict bearer-token requests to trusted HTTPS skills.video hosts.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill instructs the agent to use shell commands, read local files such as OpenAPI specs and docs, access environment variables for an API key, and make outbound network requests, yet it declares no permissions. This is a real security issue because the runtime capabilities materially exceed what a reviewer or permission system would infer, increasing the risk of unauthorized file access, credential exposure, or external API calls without explicit user awareness.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal