Back to skill

Security audit

VoooAI - AI Multimedia NL2Workflow Platform

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed VoooAI creative-generation integration that uses a user-provided key to upload media, run workflows, check status, and download results.

Install only if you trust VoooAI with the prompts and media files you choose to submit. Keep VOOOAI_BASE_URL unset unless you intentionally trust an alternate server, use a dedicated access key if possible, and review estimated point costs before allowing workflow execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Tainted flow: 'req' from os.environ.get (line 110, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
url = f"{BASE_URL.rstrip('/')}{path}"
    req = urllib.request.Request(url, method="GET", headers=_headers())
    try:
        with urllib.request.urlopen(req, timeout=timeout) as resp:
            return json.loads(resp.read().decode("utf-8"))
    except urllib.error.HTTPError as e:
        err_body = e.read().decode("utf-8") if e.fp else ""
Confidence
90% confidence
Finding
with urllib.request.urlopen(req, timeout=timeout) as resp:

Tainted flow: 'req' from os.environ.get (line 110, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
headers=_headers(),
    )
    try:
        with urllib.request.urlopen(req, timeout=timeout) as resp:
            return json.loads(resp.read().decode("utf-8"))
    except urllib.error.HTTPError as e:
        err_body = e.read().decode("utf-8") if e.fp else ""
Confidence
90% confidence
Finding
with urllib.request.urlopen(req, timeout=timeout) as resp:

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This script queries and exposes account-scoped metadata such as points balance, membership level, trust level, rate limits, and possibly cost guidance. That expands the skill beyond the stated creative-only scope and can leak sensitive operational or billing-adjacent information to users or downstream callers, enabling account reconnaissance and misuse planning.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The CLI/help text explicitly advertises checking platform capabilities and credit balance, which contradicts the manifest's claim that the skill should only relay creative requests verbatim. This mismatch is dangerous because it signals undocumented functionality that broadens the accessible attack surface and may expose non-creative account information through a tool users would not expect to have such access to.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The invocation guidance is broad enough to trigger the skill for nearly any creative or media-related request, increasing the chance that user content, local files, or prompts are sent to the external backend by default. Because this skill can upload files, execute workflows, and spend points, overbroad routing meaningfully raises the risk of accidental externalization and unwanted paid actions.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.