Rdk X5 App

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only guide for running RDK X5 demo programs, with some camera, network, and sudo examples that need normal care.

Install this only if you are working with an RDK X5 board and want guidance for its preinstalled demos. Treat camera and RTSP streams as sensitive, run sudo hardware examples only when you understand the connected peripherals, use the web demo on a trusted network, and stop services when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs users to start nginx and a camera web service, then browse to http://<RDK_IP>:8080, which exposes a live camera feed over the network. While this appears intended for legitimate demo use, the instructions do not warn about network exposure, access controls, or limiting bind scope, so users may unintentionally publish camera output to other hosts on the LAN.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The RTSP example embeds credentials directly in the command line and demonstrates receiving a network video stream without warning about credential leakage or sensitive data transmission. Credentials passed this way may be exposed in shell history, process listings, logs, or screenshots, and the example normalizes unsafe handling of secrets.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal