Back to skill

Security audit

Pipixia Drama Producer

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does the stated video-production workflow, but it can post media to Feishu and contains an unsafe script pattern that could run unintended local code with crafted inputs.

Review before installing. Use only in a trusted workspace, set Feishu credentials for a least-privilege app, verify the chat_id and files before sending, and avoid or patch send_video.sh for untrusted filenames or FFPROBE values.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (8)

Tainted flow: 'FFPROBE' from os.environ.get (line 16, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
FFPROBE = os.environ.get("FFPROBE", "ffprobe")

def get_duration(f):
    r = subprocess.run([FFPROBE, "-v", "quiet", "-show_entries", "format=duration",
                        "-of", "csv=p=0", f], capture_output=True, text=True)
    return float(r.stdout.strip())
Confidence
96% confidence
Finding
r = subprocess.run([FFPROBE, "-v", "quiet", "-show_entries", "format=duration", "-of", "csv=p=0", f], capture_output=True, text=True)

Tainted flow: 'cmd' from os.environ.get (line 71, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
"-shortest", args.output
    ]

    r = subprocess.run(cmd, capture_output=True, text=True)
    if r.returncode == 0:
        print(f"✓ Output: {args.output}")
    else:
Confidence
97% confidence
Finding
r = subprocess.run(cmd, capture_output=True, text=True)

Tainted flow: 'cmd1' from os.environ.get (line 29, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
"-c:v", "libx264", "-crf", "22", "-preset", "fast",
            "-c:a", "aac", "-ar", "44100", "-ac", "2",
            norm_out]
    r1 = subprocess.run(cmd1, capture_output=True, text=True)
    if r1.returncode != 0:
        print("✗ Normalize failed:", r1.stderr[-300:])
        sys.exit(1)
Confidence
90% confidence
Finding
r1 = subprocess.run(cmd1, capture_output=True, text=True)

Tainted flow: 'cmd2' from os.environ.get (line 40, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
"-c:v", "libx264", "-crf", "22", "-preset", "fast",
            "-c:a", "aac", "-ar", "44100", "-ac", "2",
            args.output]
    r2 = subprocess.run(cmd2, capture_output=True, text=True)
    if r2.returncode != 0:
        print("✗ Trim failed:", r2.stderr[-300:])
        sys.exit(1)
Confidence
90% confidence
Finding
r2 = subprocess.run(cmd2, capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly relies on shell execution and sensitive environment variables (including Feishu credentials), but it does not declare permissions or otherwise constrain these capabilities. This reduces transparency and weakens review/consent boundaries, increasing the chance that a user or platform invokes a skill with broader access than expected.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The activation text includes broad everyday phrases such as generating shots, editing video, dubbing, adding music, or sending media to Feishu, which can cause the skill to trigger in situations where the user did not intend full workflow execution. In a skill with shell execution and external sending capabilities, accidental activation raises the risk of unintended processing or publication.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill documents sending video and audio messages to a Feishu group but does not require an explicit user warning or confirmation at the point of external transmission. Because this action can disclose generated media, text, or metadata to a group chat, accidental or implicit sending creates a real data-leak and privacy risk.

Unvalidated Output Injection

High
Category
Output Handling
Content
FFPROBE_BIN="${FFPROBE:-ffprobe}"
DURATION=$(python3 -c "
import subprocess, sys
r = subprocess.run(['$FFPROBE_BIN','-v','quiet','-show_entries','format=duration','-of','csv=p=0','$VIDEO_FILE'], capture_output=True, text=True)
print(int(float(r.stdout.strip())*1000) if r.stdout.strip() else 0)
" 2>/dev/null || echo 0)
Confidence
89% confidence
Finding
subprocess.run(['$FFPROBE_BIN','-v','quiet','-show_entries','format=duration','-of','csv=p=0','$VIDEO_FILE'], capture_output

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.