Back to skill

Security audit

Video Summarizer

Security checks across malware telemetry and agentic risk

Overview

This is a useful video summarizer, but it should be reviewed because it can use Chrome browser cookies and send transcript text to external AI services.

Install only after reviewing whether you are comfortable with browser-cookie use and remote LLM processing. Avoid running it on private, confidential, or account-restricted videos unless you control the LLM endpoint, limit the environment tokens available to the process, choose safe output locations, and clean up generated media, transcript, and frame files afterward.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Tainted flow: 'url' from requests.get (line 114, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
def _download_caption(url: str) -> Optional[str]:
    try:
        import requests
        r = requests.get(url, timeout=15)
        if r.status_code == 200 and r.text.strip():
            return r.text
    except Exception:
Confidence
88% confidence
Finding
r = requests.get(url, timeout=15)

Tainted flow: 'api_url' from os.environ.get (line 519, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
}
        if api_key:
            headers["Authorization"] = f"Bearer {api_key}"
        response = requests.post(
            api_url,
            headers=headers,
            json={
Confidence
97% confidence
Finding
response = requests.post( api_url, headers=headers, json={ "model": model, "messages": [{"role": "user", "content": prompt}]

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documentation describes capabilities to read environment variables, access files, write outputs under /tmp or user paths, invoke shell commands for setup and ffmpeg/yt-dlp, and make network requests, yet it declares no permissions. This creates a transparency and consent problem: users and the agent may invoke a high-privilege skill without an explicit understanding that it can access secrets, local data, external services, and the shell.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code harvests multiple unrelated environment credentials and repurposes them across several third-party LLM backends, including a free anonymous fallback. In a skill context, this materially expands the blast radius of available secrets and creates surprising data flows unrelated to basic transcript extraction.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The Bilibili download path uses --cookies-from-browser chrome, which accesses sensitive browser session cookies from the local machine. For a summarization tool, this is unusually invasive and can expose authenticated browser data far beyond what users expect for transcript extraction.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly documents sending transcripts and related video content to third-party LLM providers, including anonymous/free endpoints, but does not clearly warn users that transcript text may contain sensitive or copyrighted material that will leave the local environment. In an agent skill context, users may run this on arbitrary videos or private/internal content, so the omission can lead to unintentional data disclosure to external services.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The automation example instructs users to write summaries to a file and forward results to Discord, Feishu, or Telegram without warning that transcripts, summaries, and metadata may contain sensitive information. In a cron/agent workflow this increases the chance of broad, repeated dissemination of potentially confidential or regulated content through local files and third-party messaging platforms.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly mentions use of Chrome cookies, a Cloudflare proxy, external LLM APIs, and anonymous/free third-party summarization endpoints, but it does not clearly warn users what data may be transmitted or what authentication material may be accessed and forwarded. In this context, transcripts, video metadata, browsing-derived cookies, and possibly API tokens could be exposed to third parties, making the privacy risk materially significant.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Accessing Chrome cookies without an explicit warning or consent is a sensitive-privacy violation and can expose account sessions. In this skill context, hidden browser-cookie access is more dangerous because summarization does not inherently require privileged browser data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The transcript is sent to external LLM services, including configurable or anonymous providers, without any clear user warning. Video transcripts may contain private, copyrighted, or sensitive material, so silent outbound transmission creates data-handling risk.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.