video-frames

Security checks across malware telemetry and agentic risk

Overview

This is a coherent video-frame extraction skill, with the main caution that its installer runs a mutable remote shell script.

Use the manual install path or download and inspect the installer before running it. Be aware that setup may add files under your home directory and modify your shell PATH; verify paths before copying cleanup or uninstall commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The documentation explicitly instructs users to fetch a remote script and pipe it directly into bash, which executes unreviewed code from the network immediately. If the upstream repository, GitHub account, or transport path is compromised, users could run arbitrary commands on their machine with the privileges of their shell session.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The skill tells users to append to shell startup files and immediately source them without warning about persistence or the risk of corrupting shell configuration. While common, modifying rc files is security-relevant because it changes future shell behavior and can be abused if copied blindly or combined with untrusted content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal