Terrain Route Video

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed route-video generator that uses local rendering files, public map/routing services, and FFmpeg in ways that match its stated purpose.

Run it in a fresh working folder and virtual environment. Avoid sensitive home/work routes unless you are comfortable sending coordinates and map tile areas to public OSRM/OpenTopoMap services, and choose output paths carefully because the FFmpeg command overwrites the target MP4.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill documentation instructs users to run a Python script that reads local files, makes network requests to OSRM/OpenTopoMap, and invokes external tooling such as FFmpeg, yet the skill declares no permissions. This is not inherently malicious, but the missing permission declaration reduces transparency and weakens review controls because users and platforms are not clearly informed that the skill can access files, the network, and shell-executed binaries.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal