video 生成流水线

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed video-generation helper that writes a storyboard file and calls Zhipu's video API using the user's API key.

Install this only if you intend to use Zhipu CogVideoX-3. Keep ZHIPUAI_API_KEY out of source control and chat logs, review storyboard/storyboard.json before running the script, avoid confidential prompt content, and only override BIGMODEL_API_BASE if you trust the alternate endpoint.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill directs the agent to read environment variables, write files under the project root, and perform outbound network requests, but it does not declare any permissions or capability boundaries. That creates a transparency and governance gap: users and orchestrators cannot accurately assess or constrain what the skill may access before it runs.

Missing User Warnings

Low

Confidence: 82% confidence
Finding: The skill instructs the agent to create a directory and write storyboard/storyboard.json in the project root without an explicit warning or confirmation step about modifying local files. In most cases this is low risk, but it can still surprise users, overwrite existing work, or cause unintended repository changes when used in an automated environment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal