Remotion Video Skill (ModelWise)

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Remotion video-template skill; the flagged code appears to come from normal bundled Remotion/webpack runtime behavior rather than hidden or destructive behavior.

Install it like any third-party npm project: review package.json and package-lock.json first, run it in a separate project folder or container if possible, and start Remotion Studio from a shell that does not contain unrelated API keys or secrets.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill documentation exposes operational commands and a project structure that implies access to environment variables, local files, file writes, and networked package/runtime behavior, but it does not declare any permissions or trust boundaries. In an agent ecosystem, this mismatch is dangerous because the agent or reviewer may treat the skill as low-risk documentation while it can drive actions that install dependencies, start services, and render outputs touching the host environment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal