Security audit

Maverick Google Video Url Analysis

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it sends a user-provided public video URL and prompt to Google Gemini for analysis, with no evidence of hidden or destructive behavior.

Install this only if you intend to use Google Gemini for video analysis. Use a scoped API key where possible, expect provider-side quota or costs, and avoid sending private URLs, embedded access tokens, internal links, or confidential prompts unless that is acceptable under your data policy.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script transmits the user-supplied video URL and prompt to Google's Gemini API, which is an external third-party service, but the code provides no explicit warning, confirmation, or privacy notice at the point of transmission. In an agent-skill context, this can cause users or calling systems to unknowingly send sensitive URLs, embedded access tokens, or confidential prompts off-platform, creating a real data exposure risk even though the behavior appears intentional and functional.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.