Back to skill

Security audit

VoxCPM中文配音

Security checks across malware telemetry and agentic risk

Overview

This dubbing skill mostly matches its purpose, but it also includes under-disclosed Bilibili publishing code and sends media-derived data to external APIs despite claiming local/data-safe operation.

Review before installing. Use it only if you are comfortable sending transcripts and selected video frames to configured third-party AI endpoints. Remove or ignore scripts/upload_bilibili.py unless you explicitly want Bilibili publishing, and do not place Bilibili session credentials at its hardcoded path unless you intend this skill package to have upload authority.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Tainted flow: 'cmd' from os.environ.get (line 512, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
frame_path = str(temp_dir / "subtitle_check.jpg")
    ffmpeg = config['ffmpeg_path']
    cmd = [ffmpeg, "-y", "-ss", "30", "-i", video_path, "-vframes", "1", "-q:v", "2", frame_path]
    result = subprocess.run(cmd, capture_output=True)
    
    if not os.path.exists(frame_path):
        print("  [!] 无法提取视频帧,默认不覆盖")
Confidence
86% confidence
Finding
result = subprocess.run(cmd, capture_output=True)

Tainted flow: 'cmd' from os.environ.get (line 512, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
def run_ffmpeg(cmd):
    result = subprocess.run(cmd, capture_output=True, text=True, encoding='utf-8', errors='replace')
    return result.returncode == 0
Confidence
84% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, encoding='utf-8', errors='replace')

Tainted flow: 'cmd' from os.environ.get (line 512, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
"-vf", vf, "-map", "0:v", "-map", "1:a",
           "-c:v", codec, "-preset", "default", "-c:a", "aac", output_path]
    
    result = subprocess.run(cmd, capture_output=True, text=True, encoding='utf-8', errors='replace')
    if result.returncode == 0:
        print(f"[OK] {output_path}")
        return True
Confidence
87% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, encoding='utf-8', errors='replace')

Tainted flow: 'cmd_simple' from os.environ.get (line 522, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
"-vf", f"subtitles='{srt_escaped}':force_style='{style_str}'",
                  "-map", "0:v", "-map", "1:a",
                  "-c:v", codec, "-preset", "default", "-c:a", "aac", output_path]
    result2 = subprocess.run(cmd_simple, capture_output=True, text=True, encoding='utf-8', errors='replace')
    return result2.returncode == 0
Confidence
87% confidence
Finding
result2 = subprocess.run(cmd_simple, capture_output=True, text=True, encoding='utf-8', errors='replace')

Tainted flow: 'vision_url' from os.environ.get (line 122, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
vision_model = config.get('vision', {}).get('model', 'Qwen/Qwen2.5-VL-72B-Instruct')
    
    try:
        resp = requests.post(
            vision_url,
            headers={"Authorization": f"Bearer {translate_key}", "Content-Type": "application/json"},
            json={
Confidence
97% confidence
Finding
resp = requests.post( vision_url, headers={"Authorization": f"Bearer {translate_key}", "Content-Type": "application/json"}, json={ "model":

Tainted flow: 'api_url' from os.environ.get (line 214, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
}
            
            try:
                resp = requests.post(api_url, headers=headers, json=data, timeout=60)
                result = resp.json()
                
                if 'choices' in result:
Confidence
96% confidence
Finding
resp = requests.post(api_url, headers=headers, json=data, timeout=60)

Tainted flow: 'api_url' from os.environ.get (line 214, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
for text in batch:
                for _ in range(3):
                    try:
                        resp = requests.post(
                            api_url,
                            headers={"Authorization": f"Bearer {api_key}", "Content-Type": "application/json"},
                            json={
Confidence
96% confidence
Finding
resp = requests.post( api_url, headers={"Authorization": f"Bearer {api_key}", "Content-Type": "application/json"},

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The documentation claims local execution and data safety, yet other sections state that translation and subtitle-detection content is sent automatically to third-party APIs. This is a misleading security assurance that can cause users to expose sensitive audio, transcript, or frame-derived data under false assumptions about locality and privacy. Misrepresentation of data flow is a security-relevant documentation flaw.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script performs authenticated publication to a third-party Bilibili account, which materially extends the skill from dubbing/localization into account action automation. In the context of a dubbing skill, undisclosed upload capability is dangerous because it can publish user content or derived content externally, creating privacy, compliance, and account-abuse risk.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The file loads persistent Bilibili credentials from a local JSON file and constructs an authenticated client capable of uploading content. Embedding authenticated third-party publishing capability in a skill whose stated purpose is Chinese dubbing/localization increases the chance of unauthorized posting, misuse of account tokens, and hidden side effects beyond user expectations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill states that translation and vision APIs are called automatically, but it does not clearly warn users that transcript text and video-derived content may be sent to third-party services. Because the input is user media, this can expose sensitive or copyrighted material without sufficiently informed consent. Automatic external transmission in a media-processing skill raises real privacy and compliance concerns.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The configuration includes third-party API endpoints and an API key field but provides no warning that video, audio, subtitle, or image-derived content may be transmitted to an external service. In a dubbing skill, this can expose sensitive media content and credentials if users assume processing is local or mishandle the API key.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill uploads video frames and transcript-derived content to third-party AI services without any explicit warning, consent, or data-handling disclosure. In the context of user videos, this can expose private imagery, speech content, and metadata to external providers unexpectedly.

External Transmission

Medium
Category
Data Exfiltration
Content
"voxcpm_dir": "./VoxCPM",
  "ffmpeg_path": "ffmpeg",
  "translate": {
    "api_url": "https://api.siliconflow.cn/v1/chat/completions",
    "api_key": "YOUR_API_KEY_HERE",
    "model": "tencent/Hunyuan-MT-7B"
  },
Confidence
90% confidence
Finding
https://api.siliconflow.cn/

External Transmission

Medium
Category
Data Exfiltration
Content
"model": "tencent/Hunyuan-MT-7B"
  },
  "vision": {
    "api_url": "https://api.siliconflow.cn/v1/chat/completions",
    "model": "Qwen/Qwen2.5-VL-72B-Instruct"
  },
  "whisper": {
Confidence
90% confidence
Finding
https://api.siliconflow.cn/

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.