Back to skill

Security audit

dpp-pipeline

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches a remote video-generation workflow, but it ships under-scoped storage utilities and persistent API logging that users should review before installing.

Install only if you are comfortable sending the source video, product image, prompts, and media references to Ark and possibly uploading reference media to TOS. Use narrowly scoped Ark/TOS credentials, run it in a dedicated workspace with a minimal .env, review or delete log/ark_responses.log after use, and avoid invoking the bundled TOS list/upload demo modules unless you intentionally need those storage operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares only allowed tools but no explicit permissions, while its documented behavior clearly requires environment access, filesystem reads/writes, shell execution, and network communication. This gap weakens policy enforcement and user awareness, increasing the chance that a caller invokes a skill with broader capabilities than the manifest transparently communicates.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The description frames the skill as a simple local video-to-placement pipeline, but the body reveals materially broader behavior: remote API task creation, possible auto-upload of local media to TOS, downloading remote outputs, and detailed request/response logging. That mismatch is dangerous because users may consent to local processing while unintentionally exposing media, metadata, and credentials to external services and persistent logs.

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The skill description says it operates on local source media, but this client also accepts remote image/video URLs and forwards them to Ark content-generation APIs. That expands the data boundary beyond what a user may expect, and remote URL handling can pull in third-party content or metadata, creating privacy, provenance, and policy-risk issues in a media-processing workflow.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code configures file logging for Ark request/response traffic and also emits progress events to stdout. Because request and response payloads can include prompts, file identifiers, URLs, model outputs, and possibly sensitive business/media metadata, this creates an unnecessary exposure surface unrelated to the core video-placement function.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This file adds a standalone TOS bucket object-listing utility that can enumerate remote object keys using environment-provided credentials, which is outside the declared purpose of a local single-product placement video pipeline. Even though it does not delete or modify data, bucket enumeration can expose sensitive filenames, dataset structure, and internal asset inventory, and it increases the skill's capability surface beyond what users would reasonably expect.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code introduces direct remote bucket enumeration via `client.list_objects_type2(...)`, allowing discovery of object names and organization within the configured bucket. In the context of a skill advertised for local video generation from a source video and product image, this hidden remote discovery capability is unjustified and can facilitate data reconnaissance or unintended exposure of internal storage contents.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This file implements a generic object-storage upload utility that can send arbitrary local files or inline text to a remote TOS bucket, which is materially broader than the skill's declared purpose of generating a product-placement video. In a skill context, this kind of hidden or unrelated data-transfer capability increases the risk of unintended exfiltration or misuse because users and reviewers would not expect it from the advertised functionality.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The code loads cloud-storage credentials from environment variables and uses them for generic external storage operations unrelated to the stated skill purpose. Even though reading credentials from environment variables is common, bundling this capability into an unrelated skill expands the attack surface and enables unauthorized transfer of local data to externally controlled storage if invoked.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The service sends a local video file to an external Ark service when no file_id is supplied, which creates a real data-exfiltration/privacy boundary crossing. In this skill context, users may reasonably expect local media processing from the description, so silently uploading source video to a remote service can expose sensitive visual content, metadata, or regulated data without clear consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
API request/response logs are written to disk without any indication here of user notice, consent, or redaction. This can persist sensitive prompts, model outputs, media references, and identifiers in local files where other users, processes, backups, or support tooling may later access them.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The upload_file method sends local file contents to a remote Ark service. In the context of a skill marketed around local source media, undisclosed transmission off-host can expose private or proprietary video assets and may violate user expectations or organizational data-handling rules.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
These response-generation methods send user text and media references to an external API, but this file shows no explicit privacy notice or transmission warning. Given the workflow handles product images, prompts, and video references, silent exfiltration to a remote model provider is a meaningful privacy and compliance concern.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The upload functions transmit either arbitrary local file contents or inline text to a remote endpoint without any user-facing warning or confirmation at the point of transfer. In this skill, that is especially risky because the behavior is not aligned with the declared video-processing purpose, so users may not realize local data is being sent off-host.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The wrapper implicitly points the downstream Python module at a workspace-local .env file whenever one exists, with no prompt or disclosure. In a skill that operates on user-provided workspaces, this can cause unintended loading of secrets from the current directory into the process environment or application config, increasing the chance of credential exposure or misuse by the pipeline or its dependencies.

Credential Access

High
Category
Privilege Escalation
Content
export PYTHONPATH="${RUNTIME_DIR}/src${PYTHONPATH:+:${PYTHONPATH}}"
if [[ -f "${WORKDIR}/.env" ]]; then
  export DPP_DOTENV_PATH="${WORKDIR}/.env"
fi
cd "${WORKDIR}"
exec "${PYTHON_BIN}" -m dpp_storyboard.finalcut_main "$@"
Confidence
90% confidence
Finding
.env"

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.