Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
ffmpeg-static
Security checks across malware telemetry and agentic risk
Overview
This is a normal FFmpeg helper skill; users should mainly watch for file overwrites and trust in the third-party binary package.
Install only if you are comfortable with ffmpeg-static downloading a prebuilt FFmpeg binary during npm install. When copying commands, choose fresh output paths or remove -y/use -n if you do not want existing files replaced, and validate untrusted file paths or URLs before passing them to FFmpeg.
SkillSpector
By NVIDIA
Vulnerability Patterns
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)
Tp4
High
- Category
- MCP Tool Poisoning
- Confidence
- 98% confidence
- Finding
- This is a mismatch because the declared purpose describes a functional FFmpeg operations skill, but the code does not execute any FFmpeg commands or perform transcoding, conversion, thumbnail extraction, or pipeline processing. Its actual purpose is a helper utility for locating ffmpeg/ffprobe binaries. While fallback to a system installation is consistent with part of the description, the primary behavior is materially narrower and different from the claimed media-processing functionality.
Missing User Warnings
Medium
- Confidence
- 88% confidence
- Finding
- The markdown advises to always pass `-y` in non-interactive scripts, which causes FFmpeg to overwrite output files without prompting. Although the behavior is described, it does not warn users about the risk of accidental data loss or file replacement, which is a safety-relevant effect on user data.
Missing User Warnings
Medium
- Confidence
- 91% confidence
- Finding
- This plain-text skill file contains many copy-paste commands that perform file writes and force overwrite existing outputs via the -y option. The file does not include any user-facing warning that these commands will replace files automatically, which is a safety-relevant omission for markdown/plain-text instructional content under the missing-warnings rule.
VirusTotal
65/65 vendors flagged this skill as clean.