anyvideos

Security checks across malware telemetry and agentic risk

Overview

This is a coherent media-downloader skill that uses a disclosed AnyVideos API key and service, with privacy and local-install caveats users should understand.

Install this only if you are comfortable sending media URLs to AnyVideos and using an AnyVideos API key that may consume credits or quota. Avoid submitting private, signed, internal, or account-specific links, review any ffmpeg install command before running it, and choose filenames or output folders deliberately to avoid overwriting local files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill is user-invocable and framed broadly enough that generic requests to 'download' or 'save' media could trigger it without the user clearly understanding that their supplied URL will be sent to an external service. That can cause unintended third-party disclosure of private, expiring, or authenticated links and may lead users to invoke the skill in situations they did not intend.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The workflow tells the agent to POST user-provided URLs to https://anyvideos.yx.lu/api/extract but never instructs it to warn the user that their URL will be shared with a third party. If users provide private, signed, internal, or sensitive links, this creates a privacy and data-handling risk through silent external transmission.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal