Back to skill

Security audit

Idr Avatar Video

Security checks across malware telemetry and agentic risk

Overview

This video-generation skill appears purpose-aligned, but it sends user content and an API token to a remote service over plain HTTP and leaves generated text files behind locally.

Install only if you are comfortable sending video scripts, selected audio files, account asset metadata, and your service token to the provider. Avoid confidential or regulated content, treat IDR_USER_TOKEN as a secret, and prefer a version that uses HTTPS, deletes temporary text files, and pins dependencies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (18)

Tainted flow: 'payload' from open (line 298, file read) → requests.post (network output)

High
Category
Data Flow
Content
headers = get_client_header()
    try:
        url = f"{IDR_VIDEO_URL}/video/skill/gen"
        resp = requests.post(url, headers=headers, json=payload)
        resp.raise_for_status()
        data = resp.json()
        if data.get("code") == CODE_SUCCESS:
Confidence
83% confidence
Finding
resp = requests.post(url, headers=headers, json=payload)

Tainted flow: 'payload' from open (line 298, file read) → requests.post (network output)

High
Category
Data Flow
Content
headers = get_client_header()
    try:
        url = f"{IDR_VIDEO_URL}/video/inference"
        resp = requests.post(url, headers=headers, files=payload)
        resp.raise_for_status()
        data = resp.json()
        if data.get("code") == CODE_SUCCESS:
Confidence
95% confidence
Finding
resp = requests.post(url, headers=headers, files=payload)

Tainted flow: 'payload' from open (line 298, file read) → requests.post (network output)

High
Category
Data Flow
Content
headers = get_client_header()
    try:
        resp = requests.post(url, headers=headers, files=payload)
        resp.raise_for_status()
        data = resp.json()
        if data.get("code") == CODE_SUCCESS:
Confidence
94% confidence
Finding
resp = requests.post(url, headers=headers, files=payload)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill requires network access and environment-stored credentials but does not declare permissions up front. This can lead users or hosting agents to invoke the skill without clear consent boundaries, increasing the risk of unintended data transmission to the external service and misuse of local secrets.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The declared description says the skill creates videos, but the documented behavior also enumerates public/private resources, previews audio, fetches avatar images, and checks tasks. This broader operational scope means users may authorize a seemingly narrow video-creation skill that can also access and expose account-linked assets and metadata.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger keywords are generic phrases like '创建视频' and '生成视频', which can match many unrelated user requests. Overbroad activation can cause accidental invocation of a networked third-party skill, potentially sending user content externally when they did not intend to use this provider.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The visible skill description does not warn that use requires network access and transmits user-provided text and selections to an external service. This undermines informed consent and may expose sensitive user content to a third party unexpectedly.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The setup instructions tell users to store an API key in an environment variable but do not warn that the token is sensitive and must not be exposed in prompts, logs, screenshots, or checked-in files. This omission can lead to accidental credential leakage during configuration or troubleshooting.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation instructs users to submit text and audio to a remote video-generation service and retrieve a hosted video URL, but it does not warn that user-provided content is being transmitted to an external system. This can lead users to unknowingly upload sensitive personal, proprietary, or regulated data, creating privacy, compliance, and data-governance risks.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill reads an authentication token from the environment and automatically places it into outbound Authorization headers. In this context that is sensitive credential handling, and the risk is amplified because requests are sent to an HTTP endpoint, allowing token interception in transit.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This code transmits user text to a third-party service without an explicit user-facing warning about network transfer or data handling. In a content-generation skill, users may paste confidential scripts, making silent transmission materially risky.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The script writes user-provided text to a local file in the current working directory without disclosure or cleanup. While not an exploit by itself, it can leave sensitive content behind on disk where other local users or processes may access it.

External Transmission

Medium
Category
Data Exfiltration
Content
headers = get_client_header()
    try:
        url = f"{IDR_VIDEO_URL}/video/skill/gen"
        resp = requests.post(url, headers=headers, json=payload)
        resp.raise_for_status()
        data = resp.json()
        if data.get("code") == CODE_SUCCESS:
Confidence
84% confidence
Finding
requests.post(url, headers=headers, json=

Hidden Instructions

High
Category
Prompt Injection
Content
我可以帮你查询数字人、音色和模板资源,也可以根据你的需求生成数字人视频。
你可以这样问我:

🧑‍💼 “帮我查询可用的数字人,以及看一下数字人的分辨率。”
🎙️ “有哪些音色可以选择?我想试听一下。”
🎬 “帮我看看有哪些视频模板。”
✨ “我想用商务现场模板生成一段产品介绍视频。”
Confidence
75% confidence
Finding

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
Confidence
98% confidence
Finding
requests

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
96% confidence
Finding
requests

Unsafe Defaults

Medium
Category
Tool Misuse
Content
import argparse
from pathlib import Path

DEFAULT_AUTH = None
IDR_VIDEO_URL = "http://a1.neural-avatar.com:8004"
MEMORY_FILE = Path(__file__).parent / "memory.json"
CODE_SUCCESS = 200
Confidence
88% confidence
Finding
AUTH = None

YARA rule 'agent_skill_mcp_tool_poisoning_metadata': MCP/tool metadata poisoning indicators in tool schemas or skill manifests [agent_skills]

High
Category
YARA Match
Content
---
name: idr-avatar-video
description: 使用视频模板创建视频或者使用数字人和音色创建视频
license: MIT
trigger_keywords:
  - "制作视频"
Confidence
67% confidence
Finding
description:; ‍

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.