Back to skill

Security audit

Wjs Localizing Video

Security checks across malware telemetry and agentic risk

Overview

This video-localization skill is mostly coherent, but review is warranted because it directs the workflow toward automatic use of an unpinned third-party ffmpeg binary and delegates core work to other skills not included in this package.

Install only if you are comfortable reviewing the referenced sub-skills and controlling their execution. Avoid automatic ffmpeg downloads unless you trust and can verify the binary source, use least-privilege Volcano TTS credentials, and do not process private videos unless you are comfortable sending transcript or subtitle text to the selected LLM and TTS providers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The README instructs users to export sensitive TTS credentials but provides no warning about secret handling, shell history exposure, environment leakage, or avoiding hardcoding tokens. In an agent-assisted workflow, this increases the chance users paste live secrets into prompts, scripts, logs, or shared terminals, causing credential disclosure and unauthorized API use.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.