Back to skill

Security audit

Meta Video Ad Deconstructor

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it analyzes video ad content with Gemini, with the main caution that ad text and scene data are sent to Google’s AI service.

Install only if you are comfortable sending ad-derived content to Gemini/Vertex AI. Use a dedicated least-privileged Google service account, protect the credential file, avoid committing it to source control, and do not analyze confidential or regulated creative material unless your organization permits that provider use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This code sends potentially sensitive user-provided content—including transcripts, scene descriptions, and text overlays—to an external Gemini model without any consent check, warning, redaction step, or policy gate in this component. In the context of ad analysis, uploaded videos may still contain personal data, confidential campaign materials, or third-party content, so silent transmission to a remote AI service creates a real privacy and data-governance risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.