Renderingvideo Generator

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it uploads a chosen RenderingVideo JSON file to a public preview service, so avoid private content.

Install only if you are comfortable sending RenderingVideo schema JSON to video.renderingvideo.com. Do not use it with secrets, tokens, customer data, private media, proprietary scripts, or internal URLs unless you intend that content to leave your machine and be reachable through a temporary shareable preview link.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (3)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README instructs users to send arbitrary RenderingVideo schema JSON to a public preview endpoint and emphasizes that the resulting link is shareable, but it does not warn that the schema contents are transmitted to a third-party service and may be exposed through temporary URLs. In an agent skill context, this increases the risk of accidental data exfiltration if a user-provided schema contains secrets, internal URLs, proprietary assets, or sensitive text embedded in the video definition.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill metadata and instructions explicitly direct use of a public preview API and note that the resulting preview page is shareable, but the skill description does not warn users that their schema JSON will be transmitted to a third-party public endpoint. This creates a real risk of unintended disclosure if users include proprietary media references, internal text, credentials, or other sensitive content in the schema, especially because the generated preview URL can be shared and remain accessible for several days.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script reads an arbitrary local JSON file and posts its full contents to a remote service at video.renderingvideo.com, but it provides no explicit warning, consent gate, or data classification check before exfiltrating that file. In this skill's context, users may pass schema JSON that can contain proprietary prompts, URLs, assets, or embedded secrets, so silent upload to a third-party preview endpoint creates a real confidentiality risk even though the behavior appears intended for preview generation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal