Roblox Clip Transformer

Security checks across malware telemetry and agentic risk

Overview

This skill is a local video-editing helper whose file writes and FFmpeg use match its stated purpose, with ordinary overwrite and dependency-install cautions.

Install this only if you are comfortable running local video-processing tools. Use a virtual environment, install FFmpeg and Python packages from trusted sources, process media you trust, and choose output filenames or folders that are safe to overwrite.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill documentation instructs users to run local Python scripts and CLI commands that invoke shell tooling like FFmpeg and generate output files, yet it declares no permissions. This mismatch is dangerous because it hides the skill's true execution capabilities from any permission or review system, reducing visibility into file writes and command execution that will occur on the host.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script hardcodes ffmpeg with '-y', which overwrites existing output files without confirmation. In an automation or agent context, this can destroy prior media artifacts or clobber arbitrary writable files if an attacker influences the output path, causing data loss and potentially disrupting downstream workflows.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal