Back to skill

Security audit

focusavatar

Security checks across malware telemetry and agentic risk

Overview

The skill appears aligned with a FocusAvatar video-generation service, but it can send API credentials to an environment-configured endpoint, which users should review before installing.

Install only if you intend to use FocusAvatar and are comfortable sending the supplied media/text plus API credentials to its backend. Keep FOCUSAVATAR_API unset unless you deliberately trust the alternate endpoint, use least-privilege or disposable credentials if available, and watch for broad invocations that may submit jobs without an explicit FocusAvatar request.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Tainted flow: 'headers' from os.environ.get (line 105, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
headers = make_auth_headers(access_key_id, access_key_secret)
        try:
            payload = {"mp3": mp3, "mp4": mp4, "text": text}
            resp = requests.post(
                API_ENDPOINT.rstrip("/") + "/skill/api/submit",
                json=payload,
                headers=headers,
Confidence
94% confidence
Finding
resp = requests.post( API_ENDPOINT.rstrip("/") + "/skill/api/submit", json=payload, headers=headers, timeout=999999,

Tainted flow: 'status_url' from os.environ.get (line 148, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
while True:
            try:
                poll_count += 1
                r = requests.post(
                    status_url,
                    json={"orderNo": task_id},
                    headers=headers,
Confidence
93% confidence
Finding
r = requests.post( status_url, json={"orderNo": task_id}, headers=headers, timeout=999999,

Tainted flow: 'url' from os.environ.get (line 210, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
def query_result(order_no: str, key_id: str, key_secret: str):
            url = API_ENDPOINT.rstrip("/") + "/skill/api/api/result"
            h = make_auth_headers(key_id, key_secret)
            r = requests.post(url, json={"orderNo": order_no}, headers=h, timeout=30)
            r.raise_for_status()
            # 处理返回:如果是字符串就解析,已经是 dict 直接用
            raw = r.json()
Confidence
92% confidence
Finding
r = requests.post(url, json={"orderNo": order_no}, headers=h, timeout=30)

Tainted flow: 'RESULT_URL' from os.environ.get (line 12, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
"""
    headers = _auth_headers(access_key_id, access_key_secret)
    payload = {"orderNo": order_no}
    r = requests.post(RESULT_URL, json=payload, headers=headers, timeout=30)
    r.raise_for_status()
    raw = r.json()
    return json.loads(raw) if isinstance(raw, str) else raw
Confidence
92% confidence
Finding
r = requests.post(RESULT_URL, json=payload, headers=headers, timeout=30)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation clearly indicates it uses environment variables for credentials and makes outbound network requests to a configurable backend, yet no permissions are declared. This creates a transparency and consent problem: users or hosting platforms may not realize the skill can read secrets from the environment and transmit user-supplied data plus authentication headers to a remote service.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list contains broad terms such as general video-generation and speech-related phrases that can match ordinary user requests beyond the skill's intended scope. This can cause unintended invocation of a credentialed external API skill, increasing the chance of surprise actions, data being sent to a third-party backend, or users being routed into this tool when they did not explicitly request it.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.