video

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward video-generation wrapper that uses a SkillBoss API key, sends user-provided prompts or images to SkillBoss, and saves the returned video locally.

Install this only if you trust SkillBoss with the prompts and any images you provide. Choose an output path intentionally so the generated MP4 does not overwrite important files, and avoid sending private media unless that is intended.

SkillSpector

By NVIDIA

Vulnerability Patterns

Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Tainted flow: 'video_resp' from requests.get (line 127, network input) → pathlib.Path.write_bytes (file write)

Medium

Category: Data Flow
Content: print(f"Downloading video from {video_url}...") video_resp = requests.get(video_url, timeout=120) video_resp.raise_for_status() output_path.write_bytes(video_resp.content) # Verify and report if output_path.exists():
Confidence: 85% confidence
Finding: output_path.write_bytes(video_resp.content)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill declares external requirements and documents use of an API key, network access, and file output, but it does not explicitly declare corresponding permissions. This creates a transparency and governance gap: users or hosting platforms may approve and run the skill without realizing it can access secrets, call external services, and write files, which increases the risk of unintended data exposure or misuse.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal