Security audit

AI 视频剪辑器

Security checks across malware telemetry and agentic risk

Overview

This skill behaves like a disclosed cloud AI video editor: it uploads selected MP4 files to a Sparki-backed API, creates a processing job, and returns a temporary result link.

Install only if you are comfortable sending chosen MP4 files, prompts, and style settings to Sparki's remote processing backend. Avoid confidential, regulated, copyrighted, or non-consented footage unless your organization has approved that data transfer. Keep SPARKI_API_KEY private, and treat returned download links as sensitive until they expire.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill instructs the agent to execute shell commands (`bash` scripts, `curl`, `jq`, config writes) but does not declare permissions for those capabilities. That creates a transparency and policy-enforcement gap: the agent may perform network access and local command execution without an explicit permission boundary, increasing the chance of unintended execution or abuse.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README clearly states users upload source media and natural-language requests to Sparki for processing, but it does not prominently disclose the privacy and data-sharing implications of sending potentially sensitive videos, audio, and prompts to a third-party service. In a video-editing skill, this omission is more significant because inputs may contain faces, voices, locations, confidential meetings, or other personal/business-sensitive content.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger phrases are very broad and match common user requests such as 'edit this video' or 'make it vertical,' causing the skill to activate in many routine scenarios. In context, that increases the chance of automatically routing user videos to a third-party cloud workflow when the user may not have intended external upload or use of this vendor.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill states that it uploads video files to a cloud service, but it does not require a clear user-facing consent/privacy warning at the point of use. Because videos may contain sensitive personal, corporate, or copyrighted content, silent or implicit transfer to a third party creates real privacy and data-governance risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script unconditionally uploads a user-supplied local video file to a third-party remote API, but provides no explicit user-facing notice, confirmation, or consent mechanism at the point of transmission. In the context of an agent skill that may be invoked automatically for video editing tasks, this creates a real privacy and data-handling risk because users may not realize their local media is being sent off-device to an external service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.