Security audit

百度智能云VOD字幕擦除

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed Baidu VOD video subtitle/region erasure tool that uses user-provided credentials and uploads selected videos to Baidu services.

Install only if you are comfortable sending the selected videos to Baidu VOD, using Baidu cloud credentials from environment variables, potentially incurring paid VOD charges, and optionally using your bdpan login for netdisk transfers. Review commands before confirming, especially deletion, batch processing, and netdisk upload options.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill declares only local tools, but its documented behavior clearly relies on environment secrets (BAIDU_VOD_AK/SK), shell execution, and outbound network access to Baidu VOD and possibly netdisk. This hidden capability boundary is dangerous because users and policy systems cannot accurately assess what data leaves the host or what credentials are required.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 83% confidence
Finding: The manifest frames the skill as a subtitle-removal tool, but the documentation expands behavior to task listing/query/deletion, time-range erasure, and other operational controls. Description-behavior drift is risky because it can cause users or orchestrators to authorize a seemingly narrow media-editing tool that actually performs broader remote actions, including destructive task deletion.

Description-Behavior Mismatch

Medium

Confidence: 80% confidence
Finding: The skill scope expands from subtitle removal into logo/watermark removal, time-scoped erasure, and task query/deletion, which are materially different operations from the advertised purpose. This increases the chance of overbroad invocation and unintended destructive actions, especially when users may not realize the tool can modify arbitrary video regions or manage remote jobs.

Description-Behavior Mismatch

Low

Confidence: 71% confidence
Finding: The examples and decision tree introduce netdisk upload/download and asynchronous task management behaviors beyond the core manifest description. While not inherently malicious, undocumented external transfer and remote task handling reduce transparency and can surprise users about where their media is sent and stored.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The trigger rule includes broad language such as any request to process video subtitles, which can cause the skill to activate in contexts where the user did not intend to invoke a paid, networked video-processing workflow. Overbroad triggering is dangerous because it increases accidental execution, data exposure, and surprise billing.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill describes uploading processed videos to netdisk without a clear up-front warning that user media will be transmitted to external services and potentially stored remotely. For video content, this can expose sensitive or copyrighted material and create privacy, compliance, and retention risks.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The function downloads remote content and writes it directly to an arbitrary output_path without any confirmation, path restriction, or size/content validation. In an agent skill context, this can overwrite local files or silently place untrusted data on disk, which is more dangerous because the skill is explicitly designed to fetch processed media back to the user's environment.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.