Back to skill

Security audit

AI科普视频工作室(Mac mini 16G适用)

Security checks across malware telemetry and agentic risk

Overview

This video-production skill is mostly coherent, but it asks agents to use authenticated browser sessions, biometric face and voice inputs, and runtime package installation without enough scoping or user safeguards.

Install only if you are comfortable running a media pipeline that can process local files, overwrite outputs, install Python packages at runtime, use FFmpeg on provided media, and operate through an authenticated Google browser profile. Use a dedicated project directory and browser profile, review any pip install before running it, use only voices and portraits you own or have permission to use, and avoid feeding untrusted media files or arbitrary output paths.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (16)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"-shortest",
        output_path,
    ]
    subprocess.run(cmd, check=True)
    print(f"  Subtitled: {video_path} → {output_path}")
Confidence
88% confidence
Finding
subprocess.run(cmd, check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
output_path,
    ])

    subprocess.run(cmd, check=True)
    print(f"Composited {len(segment_paths)} segments with {xfade}s xfade → {output_path}")
Confidence
88% confidence
Finding
subprocess.run(cmd, check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if total_frames == 0:
        print(f"Warning: No subtitle frames in {subtitle_frame_dir}, skipping overlay")
        # Just copy
        subprocess.run(["ffmpeg", "-y", "-i", video_path, "-c", "copy", output_path],
                       check=True)
        return
Confidence
82% confidence
Finding
subprocess.run(["ffmpeg", "-y", "-i", video_path, "-c", "copy", output_path], check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for u in unified:
                f.write(f"file '{u}'\n")

        subprocess.run([
            "ffmpeg", "-y",
            "-f", "concat", "-safe", "0",
            "-i", concat_path,
Confidence
91% confidence
Finding
subprocess.run([ "ffmpeg", "-y", "-f", "concat", "-safe", "0", "-i", concat_path, "-c", "copy", output_path, ], check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
with tempfile.TemporaryDirectory() as tmpdir:
        for i, seg in enumerate(segment_paths):
            tmp_path = os.path.join(tmpdir, f"u_{i:02d}.mp4")
            subprocess.run([
                "ffmpeg", "-y", "-i", seg,
                "-c:v", "libx264", "-crf", "20",
                "-c:a", "aac", "-ar", "48000", "-ac", "2", "-b:a", "192k",
Confidence
86% confidence
Finding
subprocess.run([ "ffmpeg", "-y", "-i", seg, "-c:v", "libx264", "-crf", "20", "-c:a", "aac", "-ar", "48000", "-ac", "2", "-b:a", "192k",

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import whisper
    except ImportError:
        print("Installing openai-whisper...")
        subprocess.run([sys.executable, "-m", "pip", "install", "openai-whisper"],
                       check=True)
        import whisper
Confidence
96% confidence
Finding
subprocess.run([sys.executable, "-m", "pip", "install", "openai-whisper"], check=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill instructs the agent to read and write files and invoke shell tools like ffmpeg, whisper, pip, and custom scripts, but it declares no permissions. This creates a transparency and sandboxing gap: users and enforcement layers cannot accurately assess what the skill may do, increasing the risk of unintended file modification, command execution, or dependency installation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The documented behavior materially overstates the implemented pipeline while omitting actual behaviors such as Whisper use and possible auto-installation. This mismatch is dangerous because operators may trust the skill to perform sensitive stages safely or locally when those stages are absent, and may be surprised by undeclared dependency installation or data handling during transcription.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Auto-installing openai-whisper during subtitle rendering/transcription adds hidden package-fetching and environment mutation behavior beyond simple local media processing. In an agent skill context, this is more dangerous because users may run the script as part of an automated pipeline, causing unreviewed dependency retrieval and execution in trusted environments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill provides voice cloning instructions using reference audio and transcript text but gives no warning about consent, impersonation risk, retention, or handling of biometric voice data. In this context, the omission materially increases abuse potential because the skill is specifically designed to synthesize a personal voice for video narration.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs uploading a portrait photo and relying on an active Google account context in Chrome, but does not warn about privacy, account exposure, or the sensitivity of facial images. Because this stage combines biometric data with browser-authenticated access to an external service, misuse or unclear handling could expose personal identity data or leak authenticated session activity.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The FFmpeg command includes -y, which forces overwrite of any existing output file without confirmation. In an automated content-production pipeline, if the output path is user-supplied or computed incorrectly, this can destroy existing media or other writable files, causing data loss and potentially clobbering important artifacts.

Unvalidated Output Injection

High
Category
Output Handling
Content
def extract_audio_wav(video_path, output_path):
    """Extract audio as 16-bit PCM WAV for analysis."""
    subprocess.run([
        "ffmpeg", "-y",
        "-i", video_path,
        "-vn",
Confidence
83% confidence
Finding
subprocess.run([ "ffmpeg", "-y", "-i", video_path, "-vn", "-acodec", "pcm_s16le", "-ar", "48000", "-ac", "2", output_path, ], check=True, ca

Unvalidated Output Injection

High
Category
Output Handling
Content
if total_frames == 0:
        print(f"Warning: No subtitle frames in {subtitle_frame_dir}, skipping overlay")
        # Just copy
        subprocess.run(["ffmpeg", "-y", "-i", video_path, "-c", "copy", output_path],
                       check=True)
        return
Confidence
77% confidence
Finding
subprocess.run(["ffmpeg", "-y", "-i", video_path, "-c", "copy", output

Unvalidated Output Injection

High
Category
Output Handling
Content
with tempfile.TemporaryDirectory() as tmpdir:
        for i, seg in enumerate(segment_paths):
            tmp_path = os.path.join(tmpdir, f"u_{i:02d}.mp4")
            subprocess.run([
                "ffmpeg", "-y", "-i", seg,
                "-c:v", "libx264", "-crf", "20",
                "-c:a", "aac", "-ar", "48000", "-ac", "2", "-b:a", "192k",
Confidence
79% confidence
Finding
subprocess.run([ "ffmpeg", "-y", "-i", seg, "-c:v", "libx264", "-crf", "20", "-c:a", "aac", "-ar", "48000", "-ac", "2", "-b:a", "192k",

Unvalidated Output Injection

High
Category
Output Handling
Content
for u in unified:
                f.write(f"file '{u}'\n")

        subprocess.run([
            "ffmpeg", "-y",
            "-f", "concat", "-safe", "0",
            "-i", concat_path,
Confidence
90% confidence
Finding
subprocess.run([ "ffmpeg", "-y", "-f", "concat", "-safe", "0", "-i", concat_path, "-c", "copy", output

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.