Wan Video Generation and Editting

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Alibaba DashScope video generation and editing wrapper, but users should treat submitted prompts and media as third-party uploads.

Install only if you intend to use Alibaba DashScope/Wan services with your own API key. Do not submit private, regulated, proprietary, or unauthorized voice/image/video material unless you are comfortable sending it to Alibaba for processing and billing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (7)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill declares required environment variables and uses external URLs/API-backed operations, but does not expose explicit permissions or trust boundaries to the user. That can cause users to invoke a networked, credentialed skill without clear consent or understanding that secrets and remote requests are involved.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: This skill is specifically designed to submit prompts, images, videos, and audio URLs to an external Alibaba service using an API key, yet the description does not warn about third-party data transmission. Users may unknowingly upload sensitive media or proprietary prompts, creating confidentiality, privacy, and compliance risk.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation instructs users to send prompts, images, video clips, and audio to a remote Alibaba DashScope endpoint but does not warn that this content leaves the local environment and is processed by a third-party service. In a media-generation skill, users may upload sensitive or proprietary media, so the omission can cause unintentional privacy, confidentiality, or compliance exposure.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation explicitly advertises voice cloning/reference capabilities without any warning about consent, impersonation risk, biometric sensitivity, or legal/privacy requirements. In the context of an agent skill, this materially increases the risk of misuse for non-consensual voice cloning, social engineering, harassment, or deceptive media generation.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation tells users to send bearer credentials and upload media URLs to an external third-party API, but it does not warn that user content and authentication material are being transmitted off-platform. That omission can lead to unsafe integration patterns, accidental disclosure of sensitive media, and inadequate user consent regarding third-party data handling.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation allows users to supply an external audio URL that will be fetched and processed by a third-party video-generation service, but it does not warn that this transmits user-provided content and associated metadata off-platform. This creates a real privacy and data-handling risk, especially if users provide sensitive, private, or internally hosted media URLs without understanding the disclosure.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Local files supplied by the user are automatically read, base64-encoded, and embedded into requests sent to a third-party cloud API. In a skill context, this can cause inadvertent upload of sensitive local media or documents if a user misunderstands that a local path will be transmitted off-machine.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal