Back to skill

Security audit

Wjs Overlaying Video

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned, but its custom overlay feature should be treated as high-trust code execution.

Install only if you trust the source and any custom overlay code you use. Avoid rendering third-party HTML or JavaScript snippets unless the renderer is sandboxed and has no access to sensitive files, credentials, or private network resources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The custom overlay feature reads attacker-controlled HTML/CSS/JS fragments and injects them verbatim into the generated index.html, explicitly allowing arbitrary JavaScript execution in the render environment. In this skill context, that is more dangerous because the feature is presented as routine video post-production, but it can load remote resources, exfiltrate local data accessible to the renderer, or abuse any browser/Node integration present in HyperFrames during rendering.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.