Back to skill

Security audit

Aigc Videogen

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed LinkFox AI video-generation skill that calls LinkFox APIs, waits for results, and saves generated videos locally.

Install only if you intend to use LinkFox for AI video generation and are comfortable sending image URLs, prompts, and an API key to the LinkFox service. Because generation can be slow and may consume credits, confirm ambiguous requests before running it and review the saved media/data paths if local output retention matters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation describes capabilities that perform network requests, write files, and access environment-backed execution context, but the skill declares no corresponding permissions. This creates a transparency and policy-enforcement gap: reviewers, users, or runtime controls may underestimate what the skill can do, while the script downloads remote content and stores artifacts locally.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger list includes broad everyday phrases such as '做个视频', 'AI视频', and 'generate video', which can match benign user requests and invoke the skill unintentionally. In this skill's context, accidental invocation is more concerning because it can initiate long-running networked generation jobs and file writes, potentially causing unwanted external requests, cost, or data handling.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.