Video Analyzer

Security checks across malware telemetry and agentic risk

Overview

This video skill mostly does what it claims, but its script can build unsafe shell commands from user-provided values, which could let a crafted request run unintended local commands.

Review before installing or wait for a version that removes shell=True and validates language codes. If you use it, invoke it only with trusted video URLs and simple language codes, and expect it to contact video sites, download models if needed, create temporary transcripts, and save requested media to your Desktop.

SkillSpector

By NVIDIA

Vulnerability Patterns

Behavioral ASTexec() Call, eval() Call, Dynamic Import
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def run_cmd(cmd, check=True): """Run a shell command and return stdout.""" try: result = subprocess.run(cmd, shell=True, check=check, capture_output=True, text=True) return result.stdout except subprocess.CalledProcessError as e: if check:
Confidence: 99% confidence
Finding: result = subprocess.run(cmd, shell=True, check=check, capture_output=True, text=True)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly offers to download video or audio files to the Desktop without warning the user that local files will be created. Silent or poorly disclosed local writes can expose sensitive media on shared systems, clutter user environments, and violate expectations about ephemeral processing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal