Security audit

Wjs Localizing Video

Security checks across malware telemetry and agentic risk

Overview

This video-localization skill is mostly coherent, but review is warranted because it directs the workflow toward automatic use of an unpinned third-party ffmpeg binary and delegates core work to other skills not included in this package.

Install only if you are comfortable reviewing the referenced sub-skills and controlling their execution. Avoid automatic ffmpeg downloads unless you trust and can verify the binary source, use least-privilege Volcano TTS credentials, and do not process private videos unless you are comfortable sending transcript or subtitle text to the selected LLM and TTS providers.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 79% confidence
Finding: The README instructs users to export sensitive TTS credentials but provides no warning about secret handling, shell history exposure, environment leakage, or avoiding hardcoding tokens. In an agent-assisted workflow, this increases the chance users paste live secrets into prompts, scripts, logs, or shared terminals, causing credential disclosure and unauthorized API use.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.