视频下载与转录(Whisper)

Security checks across malware telemetry and agentic risk

Overview

The skill largely does what it claims, but it tells agents how to use browser cookies for member-only video downloads without enough warning or scoping.

Review before installing. Use this only for videos you are allowed to download, avoid browser-cookie access unless you intentionally choose the exact account/profile/site, and write outputs to a private folder rather than /tmp. Check destination files before rerunning because matching outputs may be overwritten.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The documentation explicitly recommends `--cookies-from-browser` and browser cookies to access member-only content. This expands the skill from public-content retrieval into authenticated session use, which can expose sensitive credentials, enable unauthorized access to private/subscriber content, and encourage misuse of a user's logged-in browser state.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs use of browser-derived cookies and authenticated cookies without any warning about credential exposure, privacy implications, or the risk of pulling session material from a local browser profile. Users may unknowingly expose account access or use high-privilege browser sessions in an unsafe workflow.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal