FFHub FFmpeg Skill

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it claims, but it tells the agent to print an API key and uploads local media to temporary public FFHub URLs.

Review before installing. Use it only for media you are comfortable sending to FFHub and exposing through temporary public URLs, and avoid running the API-key check as written; the key should be tested without printing its value.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly tells the agent to upload a user-provided local file to a public cloud URL, but it does not require an explicit consent/privacy warning before transmission. This creates a real data-handling risk because local media may contain sensitive content or metadata, and the upload produces an externally hosted URL that could expose user data beyond the local environment.

External Transmission

Medium

Category: Data Exfiltration
Content: ### Create Task ```bash curl -s -X POST https://api.ffhub.io/v1/tasks \ -H "Authorization: Bearer $FFHUB_API_KEY" \ -H "Content-Type: application/json" \ -d '{
Confidence: 89% confidence
Finding: https://api.ffhub.io/

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal