group-director

Security checks across malware telemetry and agentic risk

Overview

This skill is a narrow video-generation wrapper that sends a prepared prompt to SenseAudio and returns a video URL.

Install only if you are comfortable sending finalized video prompts to SenseAudio and providing a SenseAudio API key. Use a dedicated key where possible, keep SENSEAUDIO_BASE_URL fixed to the intended provider endpoint, avoid including sensitive group-chat details in prompts, and do not paste raw error output into Feishu/Lark.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill clearly expects access to environment variables and outbound network connectivity, but those capabilities are not explicitly declared. Hidden or undeclared capabilities make review, sandboxing, and least-privilege enforcement harder, increasing the risk that the skill is granted broader access than operators realize.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal