Back to skill

Security audit

potplayer

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward PotPlayer helper, but it also documents webcam and screen-recording commands without clear consent boundaries.

Install only if you want Codex to control PotPlayer. Require explicit confirmation before opening network URLs, webcam input, screen capture, DVD/device input, or file/folder dialogs, and avoid using it with untrusted media links or screens showing private information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill description contains very broad activation phrases such as requests to play videos, audio, anime, TV series, or movies, which can cause the agent to invoke this skill for many ordinary media-related requests without sufficient specificity. That increases the chance of unintended execution of local applications and network media access based on ambiguous user intent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill documents potentially sensitive capabilities including network streaming, webcam access, and screen recording without any user-facing warning, consent requirement, or safety guidance. In an agent setting, this can normalize launching privacy-impacting actions that access remote content or local capture devices without making the user aware of the risks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.