Security audit

SGLang-Diffusion Video Generation

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward local video-generation helper that sends prompts to a configured SGLang-Diffusion server and saves the resulting video.

Install only if you intend to use a trusted SGLang-Diffusion server. Avoid sending private prompts or images to a server you do not control, keep the API key private, and choose output paths carefully because the script can write the downloaded video there.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill documentation indicates capabilities to access environment variables, read and write files, and make network requests, but it does not declare any corresponding permissions. This creates a transparency and policy-enforcement gap: users or the runtime may not realize the skill can contact arbitrary servers, read local inputs, write outputs to disk, and access API keys from the environment. In this context the behavior is partly expected for a video-generation skill, but the lack of explicit permissions still makes misuse or overbroad access harder to review and constrain.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.