Back to skill

Security audit

Video Agent (Deprecated)

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate but deprecated HeyGen video-generation skill that sends user-chosen prompts, media, and account actions to HeyGen, with no hidden installer or malicious behavior found.

Prefer the newer create-video or avatar-video skills when possible. Install this legacy skill only if you are comfortable giving an agent HeyGen API access; review prompts, portraits, uploaded files, recipient data, remote asset URLs, webhook destinations, and delete requests before use, and require webhook signature verification in real deployments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The upload-from-URL example introduces arbitrary server-side fetching of attacker-controlled URLs before re-uploading the content to HeyGen. In an agent or backend context, this can enable SSRF-style behavior, unexpected external access, and transfer of internal or sensitive network resources if the source URL is not tightly restricted.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The document explicitly recommends use of a deprecated `/v1/video.webm` endpoint for transparent-background workflows. Deprecated API guidance is dangerous because users may build against unsupported paths that can lack current security controls, break unexpectedly, or miss newer auth/validation safeguards available in the v3 replacements.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The reference presents deprecated v1/v2 endpoints as the primary workflow even though the skill metadata says these flows are deprecated in favor of v3 replacements. This can drive users to build against outdated APIs with weaker support, incorrect assumptions, and a higher chance of insecure or broken integrations over time.

Missing User Warnings

Medium
Confidence
73% confidence
Finding
The documentation states that uploaded media will be stored and that an accessible asset URL is returned, but it provides no warning about privacy, access scope, retention, or exposure of sensitive media. Users may upload confidential files assuming they remain private, creating a data exposure risk through mishandled or shareable asset URLs.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document instructs users to upload portrait photos and generate talking avatars without clearly warning that personal biometric-like image data and associated metadata are transmitted to a third-party external service. In this context, the skill handles sensitive user media, so lack of explicit disclosure and consent guidance increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The deletion examples show irreversible removal of photo avatars and avatar groups without warning users that the action is permanent and may affect downstream videos or reusable assets. This omission can lead to accidental data loss in operational use.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The guidance prescribes culture-specific attire ('Red qipao with gold embroidery') for a content type without requiring user preference, locale, or cultural context validation. In a prompt-generation skill, this can lead to stereotyping, inappropriate cultural representation, or unsafe default personalization decisions at scale, especially when users did not request culturally specific depictions.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The guide includes code that reads an API key from environment variables and sends user-provided script content to an external service without an explicit warning about credential use or third-party data transmission. In documentation used by automation agents or developers, this can lead to inadvertent disclosure of sensitive content to HeyGen and unsafe handling of production credentials.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The examples encourage sending personalized recipient data such as names, emails, companies, and custom messages to a third-party API without any privacy notice, minimization guidance, or consent considerations. In a skill context, this can normalize bulk transmission of personal data and lead users to process regulated or sensitive information without evaluating legal, contractual, or retention implications.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document instructs users to send free-form prompts and optional uploaded assets to HeyGen, but it does not clearly warn that this content leaves the local environment and is shared with a third-party service. In a skill context, users may include sensitive business data, personal information, or proprietary media in prompts/assets without realizing the privacy implications.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation instructs users to send scripts/audio and an API key to an external service without any privacy, retention, or data-handling notice. In this context, users may unknowingly transmit sensitive prompts, recordings, or credentials into a third-party workflow without evaluating whether that is permitted.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The callback_url feature allows event data and identifiers to be delivered to any user-specified external endpoint, but the document does not warn about the resulting data disclosure or the need to validate and secure that destination. This increases the risk of accidental exfiltration, SSRF-like misuse in downstream tooling, or sending job metadata to untrusted infrastructure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The primary webhook handler examples accept and process untrusted POST data before requiring any authenticity check, which can lead readers to implement insecure handlers that trust forged webhook events. In this context, a forged success/failure event could trigger application state changes, order updates, or downstream processing without HeyGen ever sending the event.

External Transmission

Medium
Category
Data Exfiltration
Content
const buffer = Buffer.from(await sourceResponse.arrayBuffer());

  // 2. Upload directly to HeyGen
  const response = await fetch("https://upload.heygen.com/v1/asset", {
    method: "POST",
    headers: {
      "X-Api-Key": process.env.HEYGEN_API_KEY!,
Confidence
88% confidence
Finding
fetch("https://upload.heygen.com/v1/asset", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
): Promise<string> {
  const dimension = DIMENSIONS[preset];

  const response = await fetch("https://api.heygen.com/v2/video/generate", {
    method: "POST",
    headers: {
      "X-Api-Key": process.env.HEYGEN_API_KEY!,
Confidence
85% confidence
Finding
fetch("https://api.heygen.com/v2/video/generate", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
): Promise<string> {
  const { style = "normal", backgroundColor = "#1a1a2e" } = options;

  const response = await fetch("https://api.heygen.com/v2/video/generate", {
    method: "POST",
    headers: {
      "X-Api-Key": process.env.HEYGEN_API_KEY!,
Confidence
85% confidence
Finding
fetch("https://api.heygen.com/v2/video/generate", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
): Promise<string> {
  const dimension = DIMENSIONS[preset];

  const response = await fetch("https://api.heygen.com/v2/video/generate", {
    method: "POST",
    headers: {
      "X-Api-Key": process.env.HEYGEN_API_KEY!,
Confidence
85% confidence
Finding
https://api.heygen.com/

External Transmission

Medium
Category
Data Exfiltration
Content
): Promise<string> {
  const { style = "normal", backgroundColor = "#1a1a2e" } = options;

  const response = await fetch("https://api.heygen.com/v2/video/generate", {
    method: "POST",
    headers: {
      "X-Api-Key": process.env.HEYGEN_API_KEY!,
Confidence
85% confidence
Finding
https://api.heygen.com/

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.