Back to skill

Security audit

Video Comment Analysis

Security checks across malware telemetry and agentic risk

Overview

The skill visibly reviews video comments and creates a local HTML business report, with no evidence of hidden code, credential use, data exfiltration, or destructive behavior.

Install if you want a guided video-comment business analysis workflow. Expect the agent to open the video page, scroll and sample visible comments, expand selected replies, save a local HTML report, and open that report when finished. Avoid using it on private or sensitive comment pages unless you are comfortable with those comments being summarized in the output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The activation criteria are very broad and cover generic requests to view or analyze comments across multiple platforms, which can cause the skill to trigger for common browsing or analysis tasks where the user did not ask for this specific workflow. That creates a scope-selection risk: the agent may enter a prescriptive browser-automation/report-generation flow unnecessarily, increasing the chance of over-collection, unintended navigation, or producing outputs misaligned with user intent.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
The skill hard-codes a six-dimension framework in Chinese unless the user explicitly asks otherwise, which can override user preferences and constrain output format without opt-in. This is risky because it can silently steer the agent into a language/framework mismatch, reducing transparency and increasing the likelihood of delivering the wrong analysis structure for the task.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The manual instructs the agent to automatically open the final analysis report page after completion without mentioning user confirmation. In an agent/browser context, triggering navigation or opening pages without notice can surprise users, interrupt their workflow, and normalize unauthorized UI actions, especially if future report destinations become external or dynamic.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.