Back to skill

Security audit

Al Video Generation

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed ShortAPI video-generation helper that sends user-approved generation inputs to ShortAPI and has no hidden install code or unrelated local access.

Install this only if you intend to use ShortAPI for video generation. Use a dedicated ShortAPI key if possible, review prompts, media URLs, and callback URLs before submission, avoid sending sensitive content unless you are comfortable sharing it with ShortAPI, and ensure polling has a reasonable timeout or user-visible status.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs agents to transmit user prompts and the user's SHORTAPI_KEY to a third-party service, but it does not require a clear user-facing consent step or warning that data will leave the host environment. This creates a real privacy and trust risk because potentially sensitive prompts, media references, and credentials are used in external requests without explicit informed approval at time of use.

External Transmission

Medium
Category
Data Exfiltration
Content
#### Bash (cURL) Example

```bash
response=$(curl --request POST \
  --url https://api.shortapi.ai/api/v1/job/create \
  --header "Authorization: Bearer $SHORTAPI_KEY" \
  --header "Content-Type: application/json" \
Confidence
95% confidence
Finding
curl --request POST \ --url https://api.shortapi.ai/api/v1/job/create \ --header "Authorization: Bearer $SHORTAPI_KEY" \ --header "Content-Type: application/json" \ --data

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
response=$(curl --request POST \
  --url https://api.shortapi.ai/api/v1/job/create \
  --header "Authorization: Bearer $SHORTAPI_KEY" \
  --header "Content-Type: application/json" \
  --data '{
Confidence
94% confidence
Finding
https://api.shortapi.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
curl --request GET \
  --url "https://api.shortapi.ai/api/v1/job/query?id=$JOB_ID" \
  --header "Authorization: Bearer $SHORTAPI_KEY"
```
Confidence
90% confidence
Finding
https://api.shortapi.ai/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.